Jake,

It’s not only the signing time that is of consequence. After full resign of your zone, you also enforce a full AXFR of your zone to your nameservers. We fully trust on the operation of OpenDNSSEC btw. After a few checks and such, before publishing the zone
 ;-)

Marc

From: Opendnssec-user <opendnssec-user-***@lists.opendnssec.org> on behalf of Jake Zack <***@cira.ca>
Date: Tuesday, 27 September 2016 at 17:37
To: "Opendnssec-***@lists.opendnssec.org List" <opendnssec-***@lists.opendnssec.org>
Subject: Re: [Opendnssec-user] Zone signed by key in retire state

Confirmed it does work (nuking signature cache and restarting Ods)


CIRA’s signing system signs separately with both BIND and ODS, then compares at the end, and only after validity checks and comparison is it published to the world
so we’ve occasionally seen ODS have signatures that haven’t expired yet for outgoing keys cause issues where BIND doesn’t have the same signatures on-hand.

It’s not ideal, as stated below
because it causes a full re-sign of the zone
versus using the perfectly valid signatures under the old key. If you have a small zone, though, I guess the extra few seconds of signing time probably isn’t a major concern.

We tend to do:

/sbin/service ods-signerd stop
rm –rf /var/opendnssec/tmp/* /var/opendnssec/signed/*
/sbin/service ods-signerd start

We stop and restart ods-signerd because we’re set to “keep” serial rather than increment
and ods-signerd doesn’t like signing the same serial twice.

We’re moving away from the dual-signer setup, now, however, as we believe both software’s have matured in their DNSSEC handling, and after years of comparing zone output, the value in combing over minute differences in outputs is no longer as substantial as it once was.

-jake


From: Opendnssec-user [mailto:opendnssec-user-***@lists.opendnssec.org] On Behalf Of Arun Natarajan
Sent: Tuesday, September 27, 2016 11:14 AM
To: Yuri Schaeffer
Cc: Opendnssec-***@lists.opendnssec.org List
Subject: Re: [Opendnssec-user] Zone signed by key in retire state

Thanks Yuri,


OpenDNSSEC tries to keep signatures in the zone as long as they are
valid. Only when a signature expires and thus needs a resign, the
signature is generated with the new ZSK.

You'll notice that some signatures are generated with the new ZSK and
some with the old ZSK. The signature validity is configurable in the
KASP. During that time both ZSKs have their DNSKEY record published in
the zone.

My understanding was, it create new signatures with the new key once the keys is rolled.
It would work, but it is probably not what you want.

Yeah, probably not a good idea. Might be useful in emergency roll over though.
--
arun


Regards,
Yuri


_______________________________________________
Opendnssec-user mailing list
Opendnssec-***@lists.opendnssec.org<mailto:Opendnssec-***@lists.opendnssec.org>
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Hi Zack,
Sounds like a wish/request for a default-override option to achieve this. :-) This kind of feedback on usage can help us defining the ODS roadmap 2.1 and further.

Thanks,

— Benno