Discussion:
[Opendnssec-user] KSK rollover gone wrong
Erwan David
2018-11-02 18:41:04 UTC
Permalink
Hi, it is my first KSK rollover with opendnssec 2.x (2.1.3)

As DelegationSignerSubmitCommand I have a script which sends me the new
DNSKEY record.

So now I have following state :

***@ns:~ # ods-enforcer key list -v
Keys:
Zone:                           Keytype: State:    Date of next
transition: Size: Algorithm: CKA_ID:                         
Repository: KeyTag:                                     
rail.eu.org                     KSK      retire    waiting for
ds-gone      2048  8          b656abe183f04bb79532cef7e560f385
SoftHSM     60025                                       
rail.eu.org                     ZSK      retire    2018-11-10
06:40:45      1024  8          3be292fdeffa05c2fb7094aad65bdc9f
SoftHSM     58794
rail.eu.org                     ZSK      ready     2018-11-10
06:40:45      1024  8          06f37e2866ef467c02b1f14aa7835dc8
SoftHSM     33120
rail.eu.org                     KSK      ready     waiting for
ds-seen      2048  8          27511d0b7ff7ca21510317ad95be546a
SoftHSM     43375

So following the doc I issued the following

***@ns:~ # ods-enforcer key ds-submit -z rail.eu.org -x 43375
0 KSK matches found.
0 KSKs changed.

And DNSKEY 43375 is not in the signed zone (only 60025 for KSK).

My registrars checks I publish the DNSKEY record before publishing the
DS thus I cannot add it.

What should I do in this situation ?

Thanks.
Erwan David
2018-11-02 18:57:32 UTC
Permalink
The zone has been resigned since the issuance of the new ksk.
Is it possible you haven't published a new zone yet with the new key?
Can you force a re-sign?
-jake
-----Original Message-----
Sent: November-02-18 2:41 PM
Subject: [Opendnssec-user] KSK rollover gone wrong
Hi, it is my first KSK rollover with opendnssec 2.x (2.1.3)
As DelegationSignerSubmitCommand I have a script which sends me the new DNSKEY record.
Zone:                           Keytype: State:    Date of next
Repository: KeyTag: rail.eu.org                     KSK      retire    waiting for ds-gone      2048  8          b656abe183f04bb79532cef7e560f385 SoftHSM     60025 rail.eu.org                     ZSK      retire    2018-11-10
06:40:45      1024  8          3be292fdeffa05c2fb7094aad65bdc9f SoftHSM     58794 rail.eu.org                     ZSK      ready     2018-11-10
06:40:45      1024  8          06f37e2866ef467c02b1f14aa7835dc8 SoftHSM     33120 rail.eu.org                     KSK      ready     waiting for ds-seen      2048  8          27511d0b7ff7ca21510317ad95be546a SoftHSM     43375
So following the doc I issued the following
0 KSK matches found.
0 KSKs changed.
And DNSKEY 43375 is not in the signed zone (only 60025 for KSK).
My registrars checks I publish the DNSKEY record before publishing the DS thus I cannot add it.
What should I do in this situation ?
Thanks.
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Loading...