Hi all, I'm new to DNSSEC but I seem to be having the same kind of problem as Antti (if not, sorry, should have started another topic)
Basically, I'm starting from scratch. New zone, new SoftHSM token, new database
initiated with ods-ksmutil setup.
Zone gets signed on the first run, no problem (timestamp : Jun 1 11:15)
At the next run, I get following Warning :
Jun 1 12:15:40 localhost ods-enforcerd: WARNING: key rollover not
completed as there are no keys in the 'ready' state; ods-enforcerd will try
again when it runs next
Same message is repeated 12 times until Jun 2 01:15, where I get :
Jun 2 01:15:43 localhost ods-enforcerd: INFO: New DS records needed
for the zone test.champ.aero; details will follow
Jun 2 01:15:43 localhost ods-enforcerd: WARNING: KSK Retirement
reached; please submit the new DS for test.champ.aero and use ods-ksmutil key
ksk-roll to roll the key.
Jun 2 01:15:43 localhost ods-enforcerd: No change to:
/var/opendnssec/signconf/test.champ.aero.xml
Jun 2 01:15:43 localhost ods-enforcerd: DSChanged
Jun 2 01:15:43 localhost ods-enforcerd: DS Record set has changed, the
current set looks like:
Jun 2 01:15:43 localhost ods-enforcerd:
test.champ.aero.#0113600#011IN#011DNSKEY#011257 3 7
AwEAAcZhUaxnhrd7i4s1Krl48dJortTSkDfUKPsDBNdAX4u+jLO8z7CwVhCH3dGbS9UVffWzw08h4VXYpCe3UDWdgyYcW2zqM8ob2xxK6C1pstWPRnbROaeYRJv4PWLRQCSiQZEGp14fg2uRHCpiN2+yov1xqjkTAWl+MoixhlY9M0jpA+gf/Y5nCHXYycDMnTioyu+nqqJ9hqQtFpiYuVY70oplxzOMLN7jNwU/p41eH8Twl2kSrv80z9ZFkZea9gUaFkzWHSdwfXxcrdogKHFV01pW+JJ7/SWjHIB8XZGhgy0neATkCu/07C5+e9cGeS1Rzgqi53ciwMvQP22rPDvs95k=
;{id = 57264 (ksk), size = 2048b}
Jun 2 01:15:43 localhost ods-enforcerd:
test.champ.aero.#0113600#011IN#011DNSKEY#011257 3 7
AwEAAcAGau1cCGRun9jbi1Ez56ruMsomaovUmOVho35nCqom5E3esX20qGc1juHPYuA+pjKgisV7nmcjRYJMM+BYaCPWJzc63EyD7yX99CCVkvWStX+U35sXflOKi1zz+wz63GvhO3cDMFLcK5BYp01oo9FkLmkB2dSzgCaYYw8yee8+c6+9wyQwwcDtcY9qz6Skju83Maze5so7QKTIL3S2dzPovv90uK6tDoe3iJKSICdB17wSyd1JiWCETYfheEWgUIrUV+9RBDMC8DByJeFI4cPkYe3LgMlYT4Skk9mx9iYhSnBq5Fz73RzitvcIGBuK5qK0+60AbrvL7ecgKB8R308=
;{id = 29059 (ksk), size = 2048b}
Jun 2 01:15:43 localhost ods-enforcerd: Once the new DS records are
seen in DNS please issue the ds-seen command for zone test.champ.aero with the
following cka_ids, cfda403548f5bb57415cf9c023a7897f,
3e6a3440db759e87dc89823e03285c7a
Then comes the good old warning :
Jun 2 02:15:43 localhost ods-enforcerd: WARNING: KSK Retirement
reached; please submit the new DS for test.champ.aero and use ods-ksmutil key
ksk-roll to roll the key.
... until the end of the log file (that I attached for completeness)
At this point I have following keys :
# ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID: Repository:
Keytag:
test.champ.aero KSK ready waiting for ds-seen
cfda403548f5bb57415cf9c023a7897f SoftHSM 57264
test.champ.aero KSK dssub waiting for ds-seen
3e6a3440db759e87dc89823e03285c7a SoftHSM 29059
test.champ.aero ZSK active 2010-07-01 11:15:39
14f39590a565fc8ffcc2b7909866c838 SoftHSM 34263
test.champ.aero ZSK ready next rollover
523e6e8d309b252f993eaa8957bd5bfd SoftHSM 28694
According to the logs, I should perform :
Ods-ksmutil key ds-seen -z test.champ.aero --cka_id
cfda403548f5bb57415cf9c023a7897f
Ods-ksmutil key ds-seen -z test.champ.aero --cka_id
3e6a3440db759e87dc89823e03285c7a
If I do it, here is what I get :
# ods-ksmutil key ds-seen -z test.champ.aero --cka_id
cfda403548f5bb57415cf9c023a7897f
SQLite database set to: /var/opendnssec/kasp.db
Found key with CKA_ID cfda403548f5bb57415cf9c023a7897f
Key cfda403548f5bb57415cf9c023a7897f made active
Error: retiring a key would leave no active keys on zone, skipping...
# ods-ksmutil key ds-seen -z test.champ.aero --cka_id
3e6a3440db759e87dc89823e03285c7a
SQLite database set to: /var/opendnssec/kasp.db
Found key with CKA_ID 3e6a3440db759e87dc89823e03285c7a
Key 3e6a3440db759e87dc89823e03285c7a made into standby
# ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID: Repository:
Keytag:
test.champ.aero KSK active 2011-06-02 10:51:31
cfda403548f5bb57415cf9c023a7897f SoftHSM 57264
test.champ.aero KSK dspublish 2010-06-02 15:38:57
3e6a3440db759e87dc89823e03285c7a SoftHSM 29059
test.champ.aero ZSK active 2010-07-01 11:15:39
14f39590a565fc8ffcc2b7909866c838 SoftHSM 34263
test.champ.aero ZSK ready next rollover
523e6e8d309b252f993eaa8957bd5bfd SoftHSM 28694
Notice the KSK in dspublish state with next transition : 2010-06-02 ... That's
weird ! Shouldn’t it be "next rollover" instead ?
Or do I do something wrong here / miss an important point ?
Besides, I only have one key published in the zone, which is the active KSK.
Thanks for the help !
Fred
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Sion Lloyd
Sent: 01 June 2010 13:25
To: [email protected]; [email protected]
Subject: Re: [Opendnssec-user] Version 1.1.0 and KSK rollover logic
On Monday 31 May 2010 11:40:49 am Antti Ristimäki wrote:
> Hi,
>
> On Fri, 2010-05-28 at 13:02 +0300, Antti Ristimäki wrote:
> > On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote
> >
> > > We have 2 situations to consider, "emergency" rollover and scheduled
> > > rollover.
> > >
> > > The standby key is not used for scheduled rollover, a new key will be
> > > pre- published for that.
> > >
> > > The standby key will come into use if a rollover command is issued
> > > out-of- sequence. The thinking here is that the submission of the DS
> > > to the parent is likely to be the slower step in the process, so we
> > > can get this out of the way early on before we need to act fast.
> >
> > OK, this is probably a good idea. But is the scheduled rollover now
> > meant to be initiated only automatically or how does ods-enforcer
> > differentiate a scheduled rollover from an emergency one, if they are
> > both initiated with the same "ods-ksmutil key rollover..." command?
The idea is that you do not need to issue the "key rollover" command for a
scheduled rollover, only the ds-seen. I see where the confusion comes in
though, I'll look at making our documentation clearer.
> > In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to
> > introduce a new KSK in the DNSKEY RRset rather than using the standby
> > KSK. However, this may be due to the fact that my standby KSK is still
> > in "dspublish" state...I guess the standby KSK will enter "dsready" or
> > similar after the standby DS has propagated to caches?
>
> It seems that if your standby KSK is in "DSREADY" state and you type
> "ods-ksmutil key rollover -z <zone> --keytype KSK", OpenDNSSEC starts
> signing the DNSKEY RRset with the standby KSK, in addition to the active
> KSK, as expected. However, the standby KSK doesn't appear in the DNSKEY
> RRset immediately, which I find weird. That is, the DNSKEY RRset is
> signed with a KSK that is not even present in the zone DNSKEY RRset!?
That does sound odd, can you send me (off list) the signconf that was used at
this time, if you still have it?
> With regards to my previous mail, it would be very nice indeed to be
> able to trigger the "normal" (i.e. non-emergency) rollover manually, for
> example for testing purposes etc. Now it doesn't seem to be possible.
I can add this to the requirements. If I understand, you would like to shorten
the lifespan of the currently active key such that a "scheduled" rollover
begins immediately. I.e. a new key is pre-published.
Sion
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
