Thank you for your reply and recent ZKT project upgrade.

I am trying to use   zkt-keyman -1  domain.dd   to initiate
semi-automatic KSK rollover, then after the propagation of the new key
ZKT switches
to KSK roll phase2, this is when admin needs to post new DS record to
parent, after that ZKT automatically switches to phase3 and removes old KSK.

I think this is a problem in case admin did not send a new DS to a
parent zone and in phase3 the active key has been removed. Then parent
zone will contain a DS record of the old KSK and zone will contain the
new KSK and zone will become bogous.
Maybe phase3 also should be called manually with zkt-keyman 3 domain.dd. ?

Here are the logs -

2012-02-23 08:30:01.088: debug: kskrollover: we are in state 2 and
waiting for parent propagation (parentfile 7200sec < parentprop 300sec +
parentkeyttl 7200sec
2012-02-23 08:36:01.663: debug: kskrollover: remove parentfile and
rename old key to kdomain.dd.+008+30177.key
2012-02-23 08:36:01.663: info: "domain.dd.": kskrollover phase3: Remove
old key 30177

Best regards,

Ivo



On 2012.02.22. 14:55, Holger Zuleger wrote:
>> Is it ok that old key is removed from zone before corresponding DS is
>> removed from root?
> From the protocol view, if the new DS is already in place, I think it
> is ok, but nothing I would recommend.
>
>> I can see that zkt-signer is automatically running phase3 and removing
>> key from the zone.
> Are you talking about automated KSK rollover, so the parent zone is
> under control of zkt-signer?
> And did you made a hierachical setup, thus sub zones are in a sub
> directory of the parent?
>
> Then, and only then, zkt-signer is able to do an automated KSK rollover.
> There are two pieces that have to work together.
> a) zkt-signer removes the KSK in the zone in phase 3 and copies the
> keyset- file to the parent dir
>
> b) In signing the parent zone with dnssec-signzone (called by
> zkt-signer) the DS records will be included depending on the keys
> found in the keyset-file.
>
> As far as the signing of the child zone is done before signing of the
> parent I expect that the DS is not removed before the parent.
>
> If you see a diffrent behavior please explain a bit more your setup,
> post some logs, etc.
>
> Best regards
>  Holger
>
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing 
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>
>
> _______________________________________________
> zkt-users mailing list
> zkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/zkt-users

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
zkt-users mailing list
zkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zkt-users

Reply via email to