Fred Zwarts, KVI, Groningen
2016-09-16 20:38:19 UTC
We have ods 2.0.1 running for some time, but now a ZSK roll-over is giving
a problem.
Currently the situation is as follows:
# ods-enforcer key list --verbose
Keys:
Zone: Keytype: State: Date of next transition:
Size: Algorithm: CKA_ID: Repository: KeyTag:
KVI.nl KSK retire 2016-09-17 11:00:06
2048 8 d70448361bf9ded4888de4bb681a9963 SoftHSM 23384
KVI.nl ZSK retire 2016-09-17 11:00:06
1024 8 664dd2e6d61153c53f99ac2dcafddbda SoftHSM 31771
KVI.nl KSK active 2016-09-17 11:00:06
2048 8 333e0824ef6fc70c2729b02a88be92c7 SoftHSM 61849
KVI.nl ZSK retire 2016-09-17 11:00:06
1024 8 6d31f5b7f2db0bc65fcb35f60ecceb1e SoftHSM 15381
KVI.nl ZSK ready 2016-09-17 11:00:06
1024 8 3c246656cd56b7cfd5294f5cb8e02229 SoftHSM 43923
key list completed in 0 seconds.
Parts from the signed zone as written by ods:
kvi.nl. 86400 IN SOA dns1.kvi.nl. hostmaster.kvi.nl. 2016091613
43200 3600 345600 10800
kvi.nl. 86400 IN RRSIG SOA 8 2 86400 20160930151204 20160916173547
43923 KVI.nl.
a1quYQgmEnAmt2BUdt3PAcEQ4mFCoLIULLEKKoICataE7OuXAbdhfjE9hT0nJeJPiLm6jmJmyj6fM2PwEb9DHS+PMulUc1L
snwayUoylsXm0HUFiAvG7+/tt2UYgybGCrXYWrrTJuu/VxMPSb4Qy5uEdwfEQRKs5w5Aeqci7aUQ=
kvi.nl. 3600 IN DNSKEY 257 3 8
AwEAAb9i0ycPgnT71XuBrWg7XuvEcUcmhLsWtXsO/vmg3xpWiYR1wW15rEMvloZ7Bl7O4/42to8GlQHx0yY1r1Kx4mkFtH6Mol31QXE8vwk4JaG7dW3UJKCWAjLD2mrBhp0umzDQK5dlkE+9o
m0sjcz2aUASNAQqwh38qOl8+3jNGbfjaw9MGK1WMYRv805NGGgPnmQ1BoB/4d99nhzqAfAWLWRLCoxD2FWjbUm+cQCft+YMtzEk46Ua1H/g/0B38E/2A71fUMWfGM5tE0XuArpFc7ri81MAzEHl5gsYGgn4QnGlsg8ip0wFZns/1NndgXpnjMlSel
vp4EEC8RCBKJ7E5IM= ;{id = 61849 (ksk), size = 2048b}
kvi.nl. 3600 IN DNSKEY 256 3 8
AwEAAbuEIkm1DbfRGZVFEfJ2BfD2h1us5RD85wTAZpXI9UfHpEjj86ApLn4uctHza1/ekkNAwy4aOgsz+TxLrvAhfKLfQL17q44ty6PDw8jQcinA8LIqB9xo9umvVagCHQeTTkoTRdHjh3DLQ
Fw9ice4N+7emoi+NTtTEa5pg9r1L41X ;{id = 43923 (zsk), size = 1024b}
kvi.nl. 3600 IN RRSIG DNSKEY 8 2 3600 20160930105859
20160916140006 61849 KVI.nl.
LB2yvkZT3+8gKzLYlnlrhxbCmugYAe0R4mICsodskbBJaRDZUncObYJZv8a4ogZo6IIwswHj8EfwzofW6ZXfcrXAymNYQ
adD38Iht7Xc2S3axpAwZ2jKA/CnlBI9trB4WIwb8zLBbH1sCKrFIofa+2r8h1J2Gv6AU7hjbLHK5dCMP7MlkqO54t9ENDqC6AgvKMn6/miw7xrI+9hK6VLvxjv/zQddWa8S+EX8waYVUC9sZI2f2SYWVgS3xAkOyn0PXyr7/mZ6llssSLJ7UZ9AGB
sitpJpimw+1FqjiX5jls4tr8VsSONhsb+a7v/d8n5EoPgCwuhUT8viJxoSFcm5Iw==
kvi.nl. 86400 IN NS dns1.kvi.nl.
kvi.nl. 86400 IN NS dns2.kvi.nl.
kvi.nl. 86400 IN NS dwalin.nikhef.nl.
kvi.nl. 86400 IN RRSIG NS 8 2 86400 20160929021424 20160914141121
31771 KVI.nl.
xmrTUJo4xM9vzhah0tQ1sPoEub2KEajKEjUjgrKCXNFsdmrVge/3iP8rpcjukSxOXQ4zHTGprFKxzyBFgWtkzZRQHX9dD/DI
iLIWoJ2Wh1xKTfWSTydmrP5C3E7HR6y6fEZqJ16p6Wu/eAjbf3yPcRKHLXePWjbNFVXVrbuycw4=
The retiring keys are not present in the zone.
The retiring KSK is the old backup KSK from ods 1.4.10.
One of the retiring ZSK is the old backup ZSK from ods 1.4.10.
The other retiring ZSK is the old active ZSK.
The ready ZSK is the new ZSK. However, there is no active ZSK.
The ready ZSK is used to sign the SOA record, but the retiring ZSK 31771 is
still used to sign other records, but it is not present in the zone.
So, now many of the records do not have a validated signature.
Any idea how this can be solved? Will the ready key become active at the
next transition?
a problem.
Currently the situation is as follows:
# ods-enforcer key list --verbose
Keys:
Zone: Keytype: State: Date of next transition:
Size: Algorithm: CKA_ID: Repository: KeyTag:
KVI.nl KSK retire 2016-09-17 11:00:06
2048 8 d70448361bf9ded4888de4bb681a9963 SoftHSM 23384
KVI.nl ZSK retire 2016-09-17 11:00:06
1024 8 664dd2e6d61153c53f99ac2dcafddbda SoftHSM 31771
KVI.nl KSK active 2016-09-17 11:00:06
2048 8 333e0824ef6fc70c2729b02a88be92c7 SoftHSM 61849
KVI.nl ZSK retire 2016-09-17 11:00:06
1024 8 6d31f5b7f2db0bc65fcb35f60ecceb1e SoftHSM 15381
KVI.nl ZSK ready 2016-09-17 11:00:06
1024 8 3c246656cd56b7cfd5294f5cb8e02229 SoftHSM 43923
key list completed in 0 seconds.
Parts from the signed zone as written by ods:
kvi.nl. 86400 IN SOA dns1.kvi.nl. hostmaster.kvi.nl. 2016091613
43200 3600 345600 10800
kvi.nl. 86400 IN RRSIG SOA 8 2 86400 20160930151204 20160916173547
43923 KVI.nl.
a1quYQgmEnAmt2BUdt3PAcEQ4mFCoLIULLEKKoICataE7OuXAbdhfjE9hT0nJeJPiLm6jmJmyj6fM2PwEb9DHS+PMulUc1L
snwayUoylsXm0HUFiAvG7+/tt2UYgybGCrXYWrrTJuu/VxMPSb4Qy5uEdwfEQRKs5w5Aeqci7aUQ=
kvi.nl. 3600 IN DNSKEY 257 3 8
AwEAAb9i0ycPgnT71XuBrWg7XuvEcUcmhLsWtXsO/vmg3xpWiYR1wW15rEMvloZ7Bl7O4/42to8GlQHx0yY1r1Kx4mkFtH6Mol31QXE8vwk4JaG7dW3UJKCWAjLD2mrBhp0umzDQK5dlkE+9o
m0sjcz2aUASNAQqwh38qOl8+3jNGbfjaw9MGK1WMYRv805NGGgPnmQ1BoB/4d99nhzqAfAWLWRLCoxD2FWjbUm+cQCft+YMtzEk46Ua1H/g/0B38E/2A71fUMWfGM5tE0XuArpFc7ri81MAzEHl5gsYGgn4QnGlsg8ip0wFZns/1NndgXpnjMlSel
vp4EEC8RCBKJ7E5IM= ;{id = 61849 (ksk), size = 2048b}
kvi.nl. 3600 IN DNSKEY 256 3 8
AwEAAbuEIkm1DbfRGZVFEfJ2BfD2h1us5RD85wTAZpXI9UfHpEjj86ApLn4uctHza1/ekkNAwy4aOgsz+TxLrvAhfKLfQL17q44ty6PDw8jQcinA8LIqB9xo9umvVagCHQeTTkoTRdHjh3DLQ
Fw9ice4N+7emoi+NTtTEa5pg9r1L41X ;{id = 43923 (zsk), size = 1024b}
kvi.nl. 3600 IN RRSIG DNSKEY 8 2 3600 20160930105859
20160916140006 61849 KVI.nl.
LB2yvkZT3+8gKzLYlnlrhxbCmugYAe0R4mICsodskbBJaRDZUncObYJZv8a4ogZo6IIwswHj8EfwzofW6ZXfcrXAymNYQ
adD38Iht7Xc2S3axpAwZ2jKA/CnlBI9trB4WIwb8zLBbH1sCKrFIofa+2r8h1J2Gv6AU7hjbLHK5dCMP7MlkqO54t9ENDqC6AgvKMn6/miw7xrI+9hK6VLvxjv/zQddWa8S+EX8waYVUC9sZI2f2SYWVgS3xAkOyn0PXyr7/mZ6llssSLJ7UZ9AGB
sitpJpimw+1FqjiX5jls4tr8VsSONhsb+a7v/d8n5EoPgCwuhUT8viJxoSFcm5Iw==
kvi.nl. 86400 IN NS dns1.kvi.nl.
kvi.nl. 86400 IN NS dns2.kvi.nl.
kvi.nl. 86400 IN NS dwalin.nikhef.nl.
kvi.nl. 86400 IN RRSIG NS 8 2 86400 20160929021424 20160914141121
31771 KVI.nl.
xmrTUJo4xM9vzhah0tQ1sPoEub2KEajKEjUjgrKCXNFsdmrVge/3iP8rpcjukSxOXQ4zHTGprFKxzyBFgWtkzZRQHX9dD/DI
iLIWoJ2Wh1xKTfWSTydmrP5C3E7HR6y6fEZqJ16p6Wu/eAjbf3yPcRKHLXePWjbNFVXVrbuycw4=
The retiring keys are not present in the zone.
The retiring KSK is the old backup KSK from ods 1.4.10.
One of the retiring ZSK is the old backup ZSK from ods 1.4.10.
The other retiring ZSK is the old active ZSK.
The ready ZSK is the new ZSK. However, there is no active ZSK.
The ready ZSK is used to sign the SOA record, but the retiring ZSK 31771 is
still used to sign other records, but it is not present in the zone.
So, now many of the records do not have a validated signature.
Any idea how this can be solved? Will the ready key become active at the
next transition?