On 01/28/2011 12:29 AM, Sion Lloyd wrote: > On Wednesday 26 Jan 2011 10:16:39 AM Rickard Bellgrim wrote: >> On 19 jan 2011, at 23.28, Sebastian Castro wrote: >>> Back to the original subject: This test should work or not? Is >>> OpenDNSSEC prepared for a policy change for a zone? >> >> It should work. >> >> Sion, could you have a look on this? > > Sorry it took me a while to get time to look at this. It should work... Could > you send me your kasp.db (off-list) and I'll see what is going on. > > I suspect that it is stopping the roll because there are no ready keys on the > new policy, but not promoting any keys because there is a ready key on the > zone... In other words it might be a consequence of the state of keys on the > zone at the time that you changed the policy. >
Chronology of the event: - Zone was changed from policy on Jan 12, 11:34 - Key status for each zone is collected once each hour, so I have the status as reported by 'ods-ksmutil key list' at 11:20 and 12:20 On Wed Jan 12 11:20:01 2011 example.com KSK active 2011-01-16 11:12:52 04107d196a2752478fd6cb9b7de6e392 softHSM 31479 example.com ZSK retire 2011-01-14 19:31:43 616829e136fdf60c0e0b321e051ec430 softHSM 58635 example.com ZSK retire 2011-01-16 19:38:22 edcb15c6d241687e1b0b7c0876ebb7b0 softHSM 10022 example.com KSK ready waiting for ds-seen 7f125554c235727fa9596f308016f792 softHSM 3183 example.com KSK dssub waiting for ds-seen d7ed463e105b9e285999a1b55a367a5a softHSM 27145 example.com ZSK active 2011-01-13 17:28:22 3766125b6eb6b55a181ee10091b2e2a2 softHSM 20670 On Wed Jan 12 12:20:01 2011 example.com KSK active 2011-01-16 11:12:52 04107d196a2752478fd6cb9b7de6e392 softHSM 31479 example.com ZSK retire 2011-01-13 18:29:22 edcb15c6d241687e1b0b7c0876ebb7b0 softHSM 10022 example.com KSK ready waiting for ds-seen 7f125554c235727fa9596f308016f792 softHSM 3183 example.com KSK dssub waiting for ds-seen d7ed463e105b9e285999a1b55a367a5a softHSM 27145 example.com ZSK active 2011-01-13 17:28:22 3766125b6eb6b55a181ee10091b2e2a2 softHSM 20670 On Thu Jan 13 17:20:02 2011 a new ZSK (keytag 17879) was published and became ready one hour later (following policy). The current status looks like this: example.com KSK keypublish 2011-01-31 11:14:52 d7ed463e105b9e285999a1b55a367a5a softHSM 27145 example.com ZSK active 2011-01-13 17:28:22 3766125b6eb6b55a181ee10091b2e2a2 softHSM 20670 example.com ZSK ready next rollover 97f9f36690dd2d5e7667c99770557e24 softHSM 17879 example.com KSK active 2011-01-29 15:33:27 6fe16f5d8cffc89643478ea70a1534d5 softHSM 8745 example.com KSK publish 2011-01-31 11:14:52 14974a8cd4b7f252325353e0809e05cb softHSM 52093 example.com KSK dssub waiting for ds-seen ea97477a5cd0cac9f06b6198c1ae9d9d softHSM 43678 I'm sending a copy of the kasp db off-list to Sion. Cheers, > Cheers, > > Sion -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
