Re: [zkt-users] automatic KSK key removal before DS
I am trying to use zkt-keyman -1 domain.dd to initiate semi-automatic KSK rollover, then after the propagation of the new key Ok, this means you have to initiate every step manually! ZKT switches to KSK roll phase2, this is when admin needs to post new DS record to parent, after that ZKT automatically switches to phase3 and removes old KSK. If phase3 is done autmatically then this is a bug, or you are using zkt in a hierachical way with automated KSK rollover in place. Could you pleace give me some insight if the parent is hosted by the same server and under control of zkt? Maybe this leads zkt-signer to take over your manually started KSK rollover. I think this is a problem in case admin did not send a new DS to a parent zone and in phase3 the active key has been removed. Then parent Yes, for sure, this is a problem. zone will contain a DS record of the old KSK and zone will contain the new KSK and zone will become bogous. Maybe phase3 also should be called manually with zkt-keyman 3 domain.dd. ? Yes, if it is started manually, all must be done manually. Here are the logs - 2012-02-23 08:30:01.088: debug: kskrollover: we are in state 2 and waiting for parent propagation (parentfile 7200sec< parentprop 300sec + parentkeyttl 7200sec 2012-02-23 08:36:01.663: debug: kskrollover: remove parentfile and rename old key to kdomain.dd.+008+30177.key 2012-02-23 08:36:01.663: info: "domain.dd.": kskrollover phase3: Remove old key 30177 Thanks for the hint. I will look into the code to see if it is possible to detect the manual KSK rollover in an automated envireonment. Best regards Holger smime.p7s Description: S/MIME Kryptografische Unterschrift -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
Re: [zkt-users] automatic KSK key removal before DS
Thank you for your reply and recent ZKT project upgrade. I am trying to use zkt-keyman -1 domain.dd to initiate semi-automatic KSK rollover, then after the propagation of the new key ZKT switches to KSK roll phase2, this is when admin needs to post new DS record to parent, after that ZKT automatically switches to phase3 and removes old KSK. I think this is a problem in case admin did not send a new DS to a parent zone and in phase3 the active key has been removed. Then parent zone will contain a DS record of the old KSK and zone will contain the new KSK and zone will become bogous. Maybe phase3 also should be called manually with zkt-keyman 3 domain.dd. ? Here are the logs - 2012-02-23 08:30:01.088: debug: kskrollover: we are in state 2 and waiting for parent propagation (parentfile 7200sec < parentprop 300sec + parentkeyttl 7200sec 2012-02-23 08:36:01.663: debug: kskrollover: remove parentfile and rename old key to kdomain.dd.+008+30177.key 2012-02-23 08:36:01.663: info: "domain.dd.": kskrollover phase3: Remove old key 30177 Best regards, Ivo On 2012.02.22. 14:55, Holger Zuleger wrote: >> Is it ok that old key is removed from zone before corresponding DS is >> removed from root? > From the protocol view, if the new DS is already in place, I think it > is ok, but nothing I would recommend. > >> I can see that zkt-signer is automatically running phase3 and removing >> key from the zone. > Are you talking about automated KSK rollover, so the parent zone is > under control of zkt-signer? > And did you made a hierachical setup, thus sub zones are in a sub > directory of the parent? > > Then, and only then, zkt-signer is able to do an automated KSK rollover. > There are two pieces that have to work together. > a) zkt-signer removes the KSK in the zone in phase 3 and copies the > keyset- file to the parent dir > > b) In signing the parent zone with dnssec-signzone (called by > zkt-signer) the DS records will be included depending on the keys > found in the keyset-file. > > As far as the signing of the child zone is done before signing of the > parent I expect that the DS is not removed before the parent. > > If you see a diffrent behavior please explain a bit more your setup, > post some logs, etc. > > Best regards > Holger > > > > > -- > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > > > ___ > zkt-users mailing list > zkt-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/zkt-users -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
Re: [zkt-users] automatic KSK key removal before DS
Is it ok that old key is removed from zone before corresponding DS is removed from root? From the protocol view, if the new DS is already in place, I think it is ok, but nothing I would recommend. I can see that zkt-signer is automatically running phase3 and removing key from the zone. Are you talking about automated KSK rollover, so the parent zone is under control of zkt-signer? And did you made a hierachical setup, thus sub zones are in a sub directory of the parent? Then, and only then, zkt-signer is able to do an automated KSK rollover. There are two pieces that have to work together. a) zkt-signer removes the KSK in the zone in phase 3 and copies the keyset- file to the parent dir b) In signing the parent zone with dnssec-signzone (called by zkt-signer) the DS records will be included depending on the keys found in the keyset-file. As far as the signing of the child zone is done before signing of the parent I expect that the DS is not removed before the parent. If you see a diffrent behavior please explain a bit more your setup, post some logs, etc. Best regards Holger smime.p7s Description: S/MIME Kryptografische Unterschrift -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
[zkt-users] automatic KSK key removal before DS
Hi, Is it ok that old key is removed from zone before corresponding DS is removed from root? I can see that zkt-signer is automatically running phase3 and removing key from the zone. thanks, Ivo -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
