[Opendnssec-user] Date of next transition: now

Discussion:

Sebastian Wiesinger

2017-04-24 10:33:12 UTC

Hello,

after updating to 2.1.0 I noticed that my domains don't seem to
progress in their key states. Note the date of next transition showing
"now":

***@alita:~# ods-enforcer key list -z 6v6.de -v
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
6v6.de KSK active now 2048 8 3813788f2e3479c271bc5d0f9da79db9 SoftHSM 38981
6v6.de KSK active now 2048 8 a2583a25560a47e34a48eb0c3dbbde62 SoftHSM 377
6v6.de ZSK ready now 1024 8 20243a97f7aca09c3cd9b1fa3226315c SoftHSM 50554
6v6.de ZSK retire now 1024 8 40f11fed90b3fa0308ebea5782306693 SoftHSM 33313
***@alita:~# ods-enforcer key list -z 6v6.de -v -d
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
6v6.de KSK rumoured omnipresent omnipresent NA 1 1 3813788f2e3479c271bc5d0f9da79db9
6v6.de KSK omnipresent omnipresent omnipresent NA 1 1 a2583a25560a47e34a48eb0c3dbbde62
6v6.de ZSK NA omnipresent NA rumoured 1 1 20243a97f7aca09c3cd9b1fa3226315c
6v6.de ZSK NA omnipresent NA unretentive 1 0 40f11fed90b3fa0308ebea5782306693

After restarting signer and enforcer this changes to:

***@alita:~# ods-enforcer key list -z 6v6.de -v
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
6v6.de KSK active 2017-04-29 17:07:07 2048 8 3813788f2e3479c271bc5d0f9da79db9 SoftHSM 38981
6v6.de KSK active 2017-04-29 17:07:07 2048 8 a2583a25560a47e34a48eb0c3dbbde62 SoftHSM 377
6v6.de ZSK ready 2017-04-29 17:07:07 1024 8 20243a97f7aca09c3cd9b1fa3226315c SoftHSM 50554
6v6.de ZSK retire 2017-04-29 17:07:07 1024 8 40f11fed90b3fa0308ebea5782306693 SoftHSM 33313
***@alita:~# ods-enforcer key list -z 6v6.de -v -d
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
6v6.de KSK omnipresent omnipresent omnipresent NA 1 1 3813788f2e3479c271bc5d0f9da79db9
6v6.de KSK omnipresent omnipresent omnipresent NA 1 1 a2583a25560a47e34a48eb0c3dbbde62
6v6.de ZSK NA omnipresent NA rumoured 1 1 20243a97f7aca09c3cd9b1fa3226315c
6v6.de ZSK NA omnipresent NA unretentive 1 0 40f11fed90b3fa0308ebea5782306693

So it seems that there is some sort of problem while transitioning
between states? Any idea what is going on?

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Yuri Schaeffer

2017-04-24 11:18:39 UTC

Permalink

Hi Sebastian,

Post by Sebastian Wiesinger
So it seems that there is some sort of problem while transitioning
between states? Any idea what is going on?

Yes, I think you had a standby key in your 1.4 setup. 2.1 doesn't know
about this. It is not really doing a KSK rollover but it just so happens
to have to KSKs and it is coping with that. To solve this start a KSK
rollover:

ods-enforcer key rollover -z 6v6.de -t KSK

This should introduce a new key while also marking the two existing keys
as old. They will then be replaced by the new key.

//Yuri

Sebastian Wiesinger

2017-04-24 11:44:40 UTC

Permalink

Post by Yuri Schaeffer
Hi Sebastian,

Post by Sebastian Wiesinger
So it seems that there is some sort of problem while transitioning
between states? Any idea what is going on?

I already started a key rollover for that on another zone that worked
but still it did not continue with the rollover until I restarted the
enforcer. In the meantime I noticed that the enforcer logged that the
mysql server went away 2 days ago (the server was online the whole
time so I don't know why it logged that). Is it possible that the
enforcer freezes when the MySQL server connection went away?

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Yuri Schaeffer

2017-04-24 12:14:53 UTC

Permalink

Post by Sebastian Wiesinger
In the meantime I noticed that the enforcer logged that the
mysql server went away 2 days ago (the server was online the whole
time so I don't know why it logged that). Is it possible that the
enforcer freezes when the MySQL server connection went away?

The enforcer doesn't really freeze when there is no access to the
database. However it won't be able to do any meaningful work. All the
state of all the zones is in the database. Without a database connection
it should also not be able to print you key or zone lists.

//Yuri

Sebastian Wiesinger

2017-04-24 14:17:59 UTC

Permalink

Post by Yuri Schaeffer
The enforcer doesn't really freeze when there is no access to the
database. However it won't be able to do any meaningful work. All the
state of all the zones is in the database. Without a database connection
it should also not be able to print you key or zone lists.

Hm okay, printing keys and zone lists worked though. Still I'm not
sure why the transition date changed from "now" to a date in the
future after restarting the daemons.

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Sebastian Wiesinger

2017-04-25 11:53:03 UTC

Permalink

Post by Sebastian Wiesinger

Hm okay, printing keys and zone lists worked though. Still I'm not
sure why the transition date changed from "now" to a date in the
future after restarting the daemons.

Hello,

I can confirm that I have to restart the enforcer after it loses its
MySQL connection once. Without the restart rollovers will not continue
and new ones will not be initiated.

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Sebastian Wiesinger

2017-04-25 12:13:11 UTC

Permalink

Post by Sebastian Wiesinger
I can confirm that I have to restart the enforcer after it loses its
MySQL connection once. Without the restart rollovers will not continue
and new ones will not be initiated.

Forgot the log messages when it happens:

Apr 25 03:48:00 alita ods-enforcerd: DB prepare SQL SELECT zone.id,
zone.rev, zone.policyId, zone.name, zone.signconfNeedsWriting,
zone.signconfPath, zone.nextChange, zone.ttlEndDs, zone.ttlEndDk,
zone.ttlEndRs, zone.rollKskNow, zone.rollZskNow, zone.rollCskNow,
zone.inputAdapterType, zone.inputAdapterUri, zone.outputAdapterType,
zone.outputAdapterUri, zone.nextKskRoll, zone.nextZskRoll,
zone.nextCskRoll FROM zone WHERE zone.name = ?

Apr 25 03:48:00 alita ods-enforcerd: DB prepare Err 2006: MySQL server has gone away

Apr 25 03:48:00 alita ods-enforcerd: [enforce_task] Could not find zone 6v6.de in database

Btw. the MySQL server is running fine while this happens. So it is not
a problem with the MySQL server itself. Still enforcer should retry
when the server goes away.

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Yuri Schaeffer

2017-04-26 07:51:29 UTC

Permalink

Post by Sebastian Wiesinger
Still enforcer should retry
when the server goes away.

I agree and it is on our list of thing to do.
https://issues.opendnssec.org/browse/OPENDNSSEC-881

//Yuri

Sebastian Wiesinger

2017-04-26 15:13:09 UTC

Permalink

Post by Yuri Schaeffer

Post by Sebastian Wiesinger
Still enforcer should retry
when the server goes away.

I agree and it is on our list of thing to do.
https://issues.opendnssec.org/browse/OPENDNSSEC-881

Great, I'll wait for it!

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant