[Opendnssec-user] Changing policy for some domains

Havard Eidnes he at uninett.no
Fri Apr 30 20:47:08 UTC 2021


>> I'm now one week later looking at the state of the keys with
>> ods-enforcer, and while the new KSK is generated and sits in the
>> zone, it doesn't look like OpenDNSSEC is doing a KSK roll-over to
>> complete the algorithm roll-over.  Is it waiting for the normal
>> roll-over time to come for the zone, and *then* doing the KSK
>> roll-over?  That seems counter-intuitive; I would have expected
>> that when I did "set-policy" and "enforce", it would realize that
>> I did indeed ask for a KSK with a new algorithm, and that an
>> automatic roll-over should be initiated immediately instead of
>> waiting for the normal rotation time previously specified (which
>> in my case is 1 year).  State of the keys for the zone now look
>> like this:
>
> Yes it is still waiting for a normal rollover period.  Could be
> a number of parameters in the kasp, such as long SOA or DNSKEY
> TTL, publish safety.  I'm working on a better insight for the
> date of next transition to show why and when a transition for
> which key is done.  But turned out to be more work.

Hm.  I nudged my OpenDNSSEC by doing

  ods-enforcer key rollover --zone urc.uninett.no --keytype KSK

and what appears to have happened is that it generated a new
ECDSA KSK.  However, this was before the existing ECDSA KSK had
entered the "waiting for ds-seen" state.

My supporting scripts trigger on "waiting for ds-seen" or
"waiting for ds-gone" in the "normal" "ods-enforcer key list"
output before taking steps to extract and publish the DS record
in the parent zone, and waiting for all parent zone name servers
returning the DS record before doing "ods-enforcer key ds-seen",
or removing the DS record and confirming via "ods-enforcer key
ds-gone" that none of the name servers for the parent zone
publish the corresponding DS record.

However, so far none of the ECDSA KSKs have reached this state.

The new state is:

ods @ test-signer: {4} ods-enforcer key list -z urc.uninett.no
Keys:
Zone:                           Keytype: State:    Date of next transition:
urc.uninett.no                  KSK      active    2021-04-30 22:36:48
urc.uninett.no                  ZSK      retire    2021-04-30 22:36:48
urc.uninett.no                  ZSK      ready     2021-04-30 22:36:48
urc.uninett.no                  KSK      retire    2021-04-30 22:36:48
urc.uninett.no                  ZSK      ready     2021-04-30 22:36:48
urc.uninett.no                  KSK      publish   2021-04-30 22:36:48
ods @ test-signer: {5} ods-enforcer key list -v -z urc.uninett.no
Keys:
Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
urc.uninett.no                  KSK      active    2021-04-30 22:36:48      2048  8          60c393e7b35db5a0e9cf4a841693858f SoftHSM     46540
urc.uninett.no                  ZSK      retire    2021-04-30 22:36:48      1280  8          1a81c8138fc886c7c84e8ebcd49a386a SoftHSM     9730
urc.uninett.no                  ZSK      ready     2021-04-30 22:36:48      1280  8          4bbb93962f7bce0138c890889bff48b9 SoftHSM     42331
urc.uninett.no                  KSK      retire    2021-04-30 22:36:48      2048  13         1605e5edf3e2c9b022010386419f624a SoftHSM     42582
urc.uninett.no                  ZSK      ready     2021-04-30 22:36:48      1536  13         efd1db8fac425422cc8b5b8ad6837d2b SoftHSM     42185
urc.uninett.no                  KSK      publish   2021-04-30 22:36:48      2048  13         bddba6319af36d263b3c77c4f1a0b069 SoftHSM     2894
ods @ test-signer: {6} ods-enforcer key list -d -z urc.uninett.no
Keys:
Zone:                           Key role:     DS:          DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
urc.uninett.no                  KSK           omnipresent  omnipresent  omnipresent  NA           1    1    60c393e7b35db5a0e9cf4a841693858f
urc.uninett.no                  ZSK           NA           omnipresent  NA           unretentive  1    0    1a81c8138fc886c7c84e8ebcd49a386a
urc.uninett.no                  ZSK           NA           omnipresent  NA           rumoured     1    1    4bbb93962f7bce0138c890889bff48b9
urc.uninett.no                  KSK           hidden       unretentive  unretentive  NA           0    0    1605e5edf3e2c9b022010386419f624a
urc.uninett.no                  ZSK           NA           rumoured     NA           rumoured     1    1    efd1db8fac425422cc8b5b8ad6837d2b
urc.uninett.no                  KSK           hidden       rumoured     rumoured     NA           1    1    bddba6319af36d263b3c77c4f1a0b069
ods @ test-signer: {7} 

while the old state was:

>> ods @ test-signer: {16} ods-enforcer key list -z urc.uninett.no -v
>> Keys:
>> Zone:                           Keytype: State:    Date of next
>> transition: Size: Algorithm: CKA_ID:
>> Repository: KeyTag:
>> urc.uninett.no                  KSK      active    2021-04-30 17:57:54
>>      2048  8          60c393e7b35db5a0e9cf4a841693858f SoftHSM
>> 46540
>> urc.uninett.no                  ZSK      retire    2021-04-30 17:57:54
>>      1280  8          1a81c8138fc886c7c84e8ebcd49a386a SoftHSM
>> 9730
>> urc.uninett.no                  ZSK      ready     2021-04-30 17:57:54
>>      1280  8          4bbb93962f7bce0138c890889bff48b9 SoftHSM
>> 42331
>> urc.uninett.no                  KSK      publish   2021-04-30 17:57:54
>>      2048  13         1605e5edf3e2c9b022010386419f624a SoftHSM
>> 42582
>> urc.uninett.no                  ZSK      ready     2021-04-30 17:57:54
>>      1536  13         efd1db8fac425422cc8b5b8ad6837d2b SoftHSM
>> 42185
>> ods @ test-signer: {17} ods-enforcer key list -z urc.uninett.no -d
>> Keys:
>> Zone:                           Key role:     DS:          DNSKEY:
>>  RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
>> urc.uninett.no                  KSK           omnipresent  omnipresent
>>  omnipresent  NA           1    1    60c393e7b35db5a0e9cf4a841693858f
>> urc.uninett.no                  ZSK           NA           omnipresent
>>  NA           unretentive  1    0    1a81c8138fc886c7c84e8ebcd49a386a
>> urc.uninett.no                  ZSK           NA           omnipresent
>>  NA           rumoured     1    1    4bbb93962f7bce0138c890889bff48b9
>> urc.uninett.no                  KSK           hidden       rumoured
>>  rumoured     NA           1    1    1605e5edf3e2c9b022010386419f624a
>> urc.uninett.no                  ZSK           NA           rumoured
>>  NA           rumoured     1    1    efd1db8fac425422cc8b5b8ad6837d2b
>> ods @ test-signer: {18} ods-enforcer key list -z urc.uninett.no
>> Keys:
>> Zone: Keytype: State: Date of next transition:
>> urc.uninett.no                  KSK      active    2021-04-30 17:58:55
>> urc.uninett.no                  ZSK      retire    2021-04-30 17:58:55
>> urc.uninett.no                  ZSK      ready     2021-04-30 17:58:55
>> urc.uninett.no                  KSK      publish   2021-04-30 17:58:55
>> urc.uninett.no                  ZSK      ready     2021-04-30 17:58:55
>> ods @ test-signer: {19}

Best regards,

- Håvard


More information about the Opendnssec-user mailing list