On 27/09/14 12:38, Simon Arlott wrote: > On 27/09/14 10:32, Simon Arlott wrote: >>> What was in the signconf.xml? Because >>> if the ZSK was not configured there, the signer will happily sign the >>> zone with just the KSK (if in signconf.xml of course). >> >> I have the same problem. I had recently deleted a zone with: >> $ ods-ksmutil zone delete --zone example.com >> >> About 45 minutes later, for a different zone, it removed all the >> signatures except those made by the KSK on the DNSKEY RRs. At the same >> time it also removed the previous ZSK: > > sqlite> select * from keydata_view where zone_id=41 order by publish; > id|state|generate|publish|ready|active|retire|dead|keytype|algorithm|location|zone_id|policy_id|securitymodule_id|size|compromisedflag|fixedDate > 572|4|2014-03-27 14:15:36|2014-03-27 14:15:55|2014-03-28 19:15:50|2014-03-29 > 13:15:11|2015-03-29 > 13:15:11||257|10|5e542722830a435d0d81147ac93abfdd|41|1|1|1536||0 > 588|6|2014-04-09 19:15:38|2014-04-09 19:15:54|2014-04-10 23:16:18|2014-04-11 > 00:16:27|2014-07-13 00:16:35|2014-09-15 > 03:16:54|256|10|3546bb15af9d76528456edda7e598d66|41|1|1|1280||0 > 622|6|2014-07-11 20:16:04|2014-07-11 20:16:19|2014-07-13 00:16:35|2014-07-13 > 00:16:35|2014-10-14 00:16:35|2014-09-26 > 21:32:57|256|10|9d6ead2e49d09e17b8836717a612bc39|41|1|1|1280||0 > 580|2|2014-04-09 17:16:18|2014-09-26 22:16:10|2014-09-28 > 02:16:10||||256|10|4b8a3da57795e718c29eb8c611d2fa1a|41|1|1|1280||0 > > These are the keys belonging to the deleted zone: > sqlite> select * from keydata_view where zone_id is null; > id|state|generate|publish|ready|active|retire|dead|keytype|algorithm|location|zone_id|policy_id|securitymodule_id|size|compromisedflag|fixedDate > 525||2013-08-09 > 07:52:33|||||||10|6a04bbf7856da75cd28390250ddd6aba||1|1|1536||0 > 613||2014-07-11 > 19:15:34|||||||10|ce1ffd3f83c091c17e494cd82600ca9f||1|1|1280||0
sqlite> select * from dnsseckeys where zone_id=41; id|keypair_id|zone_id|keytype|state|publish|ready|active|retire|dead 484|572|41|257|4|2014-03-27 14:15:55|2014-03-28 19:15:50|2014-03-29 13:15:11|2015-03-29 13:15:11| 503|588|41|256|6|2014-04-09 19:15:54|2014-04-10 23:16:18|2014-04-11 00:16:27|2014-07-13 00:16:35|2014-09-15 03:16:54 525|622|41|256|6|2014-07-11 20:16:19|2014-07-13 00:16:35|2014-07-13 00:16:35|2014-10-14 00:16:35|2014-09-26 21:32:57 535|580|41|256|2|2014-09-26 22:16:10|2014-09-28 02:16:10||| It has marked the keys with id=525 and id=613 as dead instead of the keys with keypair_id=525 and keypair_id=613. This was fixed in r6351 (SUPPORT-27). I've now manually repaired the database. The effect of a key becoming dead or going missing is still broken as of r7647: > Regardless of how the old key got marked dead, it should have made the > new ZSK active immediately because there were no other live ZSKs. -- Simon Arlott
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
