Hi, I'm doing some testing with OpenDNSSec version 2.1.4, and I'm seeing what to me looks like some unexpected behaviour during ZSK rollover. During the period of replacing the signatures from old to new keys, the old signatures are replaced with a set of two signature from both the old and the new keys.
After starting a rollover, the new ZSK is generated and added to the zone. After a short publishing period, the key changes state to active and the system starts to generate signatures with the new key. I would then expect the old signatures to be gradually replaced with signatures with the new key, as each of the old keys reaches its end of life time. Instead the old signature is replaced with a new pair of signatures, one sig made with the old key and one made with the new one. So, during the period of signature replacement, the size of the zonefile grows gradually until all the records have a set of two signatures. When the replacement period is over, the old key is removed from the zone, and all the old signatures are removed at the same time, leaving the zonefile in the 'normal' state with a single signature for each signed record. Example diff during the signature replacement: 221c226,227 < frisor.bergen.no. 7200 IN RRSIG DS 8 3 7200 20200118150151 20200105190134 22581 bergen.no. aRn9nlLCjXFBLck20gKVn4sVmdINKEV5Irnyx4L86OdYa1nwIGfx8loPDGacirPgRxCK/yjo9efxvKH4Deuhz5uyO2SUMrhJmtc5fkzxG0zZYPSEc6M+FY7Zklvg/y1s4v47agEJoBCiuzvy9eJAcV0XUWUgz//EEv6UIOqJ6RA= --- > frisor.bergen.no. 7200 IN RRSIG DS 8 3 7200 20200121021554 20200108150228 44316 bergen.no. ocYyHZQoEWDrfUagh7Z24zY3Wz4jz3NVzHpSUbeemtfkf66f5UUl/cpq/Y6us2axHolIMWW+oroPXAtwYAsj9jXJ1tUNlWpCNSuNbX5TX3Cs1btPSh2xqbZojaIX1AtSjIq9iejXI0nDiXjO3uLHNqNNyIgHfM9Mk3KwCVOW7ow= > frisor.bergen.no. 7200 IN RRSIG DS 8 3 7200 20200121021554 20200108150228 22581 bergen.no. X2Fql3Eaa/rrUimY703cdv1E/DWfR8rD//2d8W8EWMba8bDbKVpR2BVclAgvtNw2JtrPOhYVMt8bF/uKI1+awowTqeRIyPiMAF9cn+O2oWMDK3bAlUuuAKVdYwM2J/OhQp4r3XochHuJ6WnrwJJ+YKBUWk0CAcEFbLAPA785zAg= 443c450,45 < rolex.bergen.no. 7200 IN RRSIG DS 8 3 7200 20200118142553 20200105030451 22581 bergen.no. rGRg3Sr8WwBLOWNasZehV24lStR7x6KGIEtbGetelslPi7kvEOZ1Tt6tiCioZ5ZkoztyTLtlfvKhl5Z3nd90UHPZzd9f5g51erUb+cybw4P+mcEBBzOFeWXrWawM3/keMKKJ9jthvvqWMfFojXLPvIT8aNPyuX16Dj+IM5MNUBY= --- > rolex.bergen.no. 7200 IN RRSIG DS 8 3 7200 20200121003335 20200108150228 44316 bergen.no. tntEofV494LkvLi2MGUKH8cLJBEWeentEsM1JI5Z4i/j/nDb//uwliBAYPLeRg7DT0Lhs6YmLOUX6k/vwgSrLAo5wc/u0JP83riN/jdPl0rOXEgHBRS9Qkqj2a2VnKOtmAlOn8lOUO9DfWEsl7dnnKbwJmy3E80xYAVzxkeWu1M= > rolex.bergen.no. 7200 IN RRSIG DS 8 3 7200 20200121003335 20200108150228 22581 bergen.no. bTCicOFKRlmaKcj6Pz/bZDVzGg8hACy4ksuUka8Wah0SM0efvRp23cDU3WE62bopscSLHd1A7w0pMddJGxMLo+ivpbk4xeblnZk4tgWku34mZ9jk43Lu3w1bN87YR54JsXSBWdhF535tac+HcRSmgUUO/Wop0l5OVfcGoTKsQJw= ... I'm wondering if this is the intended behaviour? If not, what could the reason be for it to happen? I've built the system from thr 2.1.4 source on an Ubuntu 16.04 distribution. I'm running the system with SoftHSM v2.5 and SQLite3 enforcer backend. Kind regards, Erik Østlyngen Norid AS www.norid.no _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
