[Opendnssec-user] Upgrade to 2.1.8
Ton
ton.amsterdam.nl at gmail.com
Thu Mar 25 10:08:28 UTC 2021
Think I understand now better the 'date of next transition' with ODS 2.
named at signer-test> ods-enforcer rollover list --zone nltestdomain.nl
Keys:
Zone: Keytype: Rollover expected:
nltestdomain.nl ZSK 2021-05-22 12:42:33
nltestdomain.nl ZSK 2021-05-22 12:42:33
nltestdomain.nl KSK 2026-02-17 12:42:33
This date of 2021-05-21 matches what is seen with key list:
named at signer-test> ods-enforcer key list --zone nltestdomain.nl
Keys:
Zone: Keytype: State: Date of next transition:
nltestdomain.nl ZSK active 2021-05-22 12:42:33
nltestdomain.nl ZSK active 2021-05-22 12:42:33
nltestdomain.nl KSK active 2021-05-22 12:42:33
That seems to have changed since ODS v1. Where for the KSK key it
printed the rollover date for that specific key. Now we know, nothing
to worry about then.
Also managed to cleanout the 'dssub' key, that was there from ODS V1.
Key 10840 is what's active in the parent zone, 24689 is the old
"dssub key" that was never used.
named at signer-test> ods-enforcer key list -t KSK -v -z nltestdomain.nl
Keys:
Zone: Keytype: State: Date of next
transition: Size: Algorithm: CKA_ID:
Repository: KeyTag:
nltestdomain.nl KSK retire waiting for ds-gone
2048 8 2be0e8db879760f7d7212dcba1365e34 SoftHSM
24689
nltestdomain.nl KSK active 2021-05-22 12:42:33
2048 8 783805eb0f0003b3edc5c6820b608686 SoftHSM
10840
named at signer-test> ods-enforcer key ds-gone --zone nltestdomain.nl
--keytag 24689
1 KSK matches found.
1 KSKs changed.
named at signer-test> ods-enforcer key list -t KSK -v -z nltestdomain.nl
Keys:
Zone: Keytype: State: Date of next
transition: Size: Algorithm: CKA_ID:
Repository: KeyTag:
nltestdomain.nl KSK retire 2021-03-23 15:22:01
2048 8 2be0e8db879760f7d7212dcba1365e34 SoftHSM
24689
nltestdomain.nl KSK active 2021-03-23 15:22:01
2048 8 783805eb0f0003b3edc5c6820b608686 SoftHSM
10840
named at signer-test> ods-enforcer key purge --zone nltestdomain.nl
deleting key: 2be0e8db879760f7d7212dcba1365e34
Refrained from deleting keys from HSM
named at signer-test> ods-enforcer key list -t KSK -v -z nltestdomain.nl
Keys:
Zone: Keytype: State: Date of next
transition: Size: Algorithm: CKA_ID:
Repository: KeyTag:
nltestdomain.nl KSK active 2021-04-06 15:22:01
2048 8 783805eb0f0003b3edc5c6820b608686 SoftHSM
10840
Is this indeed a good practice, to remove the retired 'dssub' keys
that came from ODS V1 to V2 migration?
Is it normal that 'ods-enforcer key export -a' will not export any
keys on ODS V2? The manual page seems to suggest that this should
work. On our test system it comes back with zero keys. This did work
on ODS v1. Exporting specifically for a domain does work. So not a big
issue.
Something else I noticed working on this:
https://www.opendnssec.org/migration-from-1-4-to-2-1/ That seems seems
to have a typo. Conversion step 5, suggest to use ./convert_sqlite,
that probably should be: ./convert_mysql
Thanks!
On Thu, Mar 18, 2021 at 3:14 PM Ton <ton.amsterdam.nl at gmail.com> wrote:
>
> We did a testing upgrade from ODS 1.4.14 to 2.1.8 There has been enough procrastination regarding this upgrade. :)
>
> With ODS version 1.4.14:
>
> # ods-ksmutil key list -z nltestdomain.nl -t KSK
> Keys:
> Zone: Keytype: State: Date of next transition:
> nltestdomain.nl KSK dssub waiting for ds-seen
> nltestdomain.nl KSK active 2026-03-14 11:58:56
>
> After the upgrade to 2.1.8 we have:
>
> # ods-enforcer key list -z nltestdomain.nl -t KSK
> Keys:
> Zone: Keytype: State: Date of next transition:
> nltestdomain.nl KSK retire waiting for ds-gone
> nltestdomain.nl KSK active 2021-03-19 12:33:43
>
> The date of the next transition for the ACTIVE key becomes 24 hours later.
> While it was in 2026 before the migration.
> Is that normal or something to worry about?
>
> Thanks!
More information about the Opendnssec-user
mailing list