Discussion:
[Opendnssec-user] key export in ods 2.0.1
Fred.Zwarts
2016-08-09 14:37:33 UTC
Permalink
After the first impression, mentioned in my previous mail, I continued to
adapt some scripts.
I like very much the --parsable option of ods-enforcer.

There is something that I do not understand.
I was used to parse the output of "ods-ksmutil key export --zone KVI.nl",
but now the command "ods-enforcer key export --zone KVI.nl" does not produce
any output on the screen, except the line "key export completed in 0
seconds". Where can I find the exported keys?
Hoda Rohani
2016-08-09 14:50:57 UTC
Permalink
Hello Fred,

key export command returns ready and active KSKs by default. It seems your KSKs are not in those states.
If you want to export other keys you can explicitly specify key state or key type.

key export
--zone <zone> | --all
[--keystate <state>]
[--keytype <type>]
[--ds]



Regards,
Hoda Rohani
After the first impression, mentioned in my previous mail, I continued to adapt some scripts. I like very much the
--parsable option of ods-enforcer.
There is something that I do not understand. I was used to parse the output of "ods-ksmutil key export --zone
KVI.nl", but now the command "ods-enforcer key export --zone KVI.nl" does not produce any output on the screen,
except the line "key export completed in 0 seconds". Where can I find the exported keys?
https://lists.opendnssec.org/mailman/listinfo/opendnssec-usereg
Fred.Zwarts
2016-08-09 15:14:57 UTC
Permalink
There are active and ready keys:

# ods-enforcer key list --zone KVI.nl
Keys:
Zone: Keytype: State: Date of next transition:
KVI.nl KSK retire 2016-08-12 16:33:10
KVI.nl ZSK active 2016-08-12 16:33:10
KVI.nl ZSK ready 2016-08-12 16:33:10
KVI.nl KSK active 2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl
key export completed in 0 seconds.
#

-----Oorspronkelijk bericht-----
From: Hoda Rohani
Sent: Tuesday, August 9, 2016 4:50 PM
To: Fred.Zwarts ; opendnssec-***@lists.opendnssec.org
Subject: Re: [Opendnssec-user] key export in ods 2.0.1

Hello Fred,

key export command returns ready and active KSKs by default. It seems your
KSKs are not in those states.
If you want to export other keys you can explicitly specify key state or key
type.

key export
--zone <zone> | --all
[--keystate <state>]
[--keytype <type>]
[--ds]



Regards,
Hoda Rohani
Post by Fred.Zwarts
After the first impression, mentioned in my previous mail, I continued to
adapt some scripts. I like very much the
--parsable option of ods-enforcer.
There is something that I do not understand. I was used to parse the
output of "ods-ksmutil key export --zone
KVI.nl", but now the command "ods-enforcer key export --zone KVI.nl" does
not produce any output on the screen,
except the line "key export completed in 0 seconds". Where can I find the exported keys?
_______________________________________________ Opendnssec-user mailing
https://lists.opendnssec.org/mailman/listinfo/opendnssec-usereg
Yuri Schaeffer
2016-08-09 15:32:38 UTC
Permalink
Hi Fred,
Post by Fred.Zwarts
# ods-enforcer key list --zone KVI.nl
KVI.nl KSK retire 2016-08-12 16:33:10
KVI.nl ZSK active 2016-08-12 16:33:10
KVI.nl ZSK ready 2016-08-12 16:33:10
KVI.nl KSK active 2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl
key export completed in 0 seconds.
I'll rephrase Hoda's words to make it a bit more accurate: key export
prints the keys that need to be submitted to the parent zone and are not
ds-seen yet. So if it would say "waiting for ds-seen" your key export
would also show you the DNSKEY record.

try:
ods-enforcer key export --zone KVI.nl -t KSK

//Yuri
Fred.Zwarts
2016-08-10 07:44:09 UTC
Permalink
# ods-enforcer key list --zone KVI.nl
Keys:
Zone: Keytype: State: Date of next transition:
KVI.nl KSK retire 2016-08-12 16:33:10
KVI.nl ZSK active 2016-08-12 16:33:10
KVI.nl ZSK ready 2016-08-12 16:33:10
KVI.nl KSK active 2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl -t KSK
key export completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl --keystate active
KVI.nl. 3600 IN DNSKEY 257 3 8
AwEAAcVFSs7AaspVxBjZSX8WP6nsIBcSwxM4JW3ZCmxCE9J3RIe9iujl2T0UT9oPqyLC8gI42Pbg0bLJweEjJXGFnA2NDDmUq4mcdflg0s8S2R36eX7uaK22lmv/n6etgRv5haoeEQOn+2tbb5+JUzty/NS+HoPNGf0zzPewkkZg+1gKmW+lgBnWw4thMPwcGsDz8b0vUpneOPiKlA5jx0EBmKLcSh3S5RBmgSMxFdn+gIAsoFw96fJcimF74a9acf9Z19WnPOOJ3nIsp7dMpwEiWqOlEgoPPxgGIZKwF6b5kZ/uPrSsbHHDOIVv4k6gkSmqaLV8HNqTxXpl1svPNtUOzqE=
;{id = 38854 (ksk), size = 2048b}
key export completed in 0 seconds.
#

So, adding "-t KSK" did not help, but adding "--keystate active" did.
Apparently, the default is not ready and active, but "waiting for ds-seen"?

Fred.Zwarts.

"Yuri Schaeffer" schreef in bericht news:7be600ce-153f-7c42-046e-***@nlnetlabs.nl...

Hi Fred,
Post by Fred.Zwarts
# ods-enforcer key list --zone KVI.nl
KVI.nl KSK retire 2016-08-12 16:33:10
KVI.nl ZSK active 2016-08-12 16:33:10
KVI.nl ZSK ready 2016-08-12 16:33:10
KVI.nl KSK active 2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl
key export completed in 0 seconds.
I'll rephrase Hoda's words to make it a bit more accurate: key export
prints the keys that need to be submitted to the parent zone and are not
ds-seen yet. So if it would say "waiting for ds-seen" your key export
would also show you the DNSKEY record.

try:
ods-enforcer key export --zone KVI.nl -t KSK

//Yuri
Fred.Zwarts
2016-08-10 09:35:54 UTC
Permalink
So, to get the export the --keystate option of ods-enforcer must be used. I
could not find in the documentation how the different keystates can be
specified. I see that "retire" and "active" are accepted, but "ds-seen", or
"waiting for ds-seen" result in "unknown keystate, Error parsing arguments".
Where can I find a list of acceptable keystates?

Fred.Zwarts.

"Fred.Zwarts" schreef in bericht news:noem06$4sl$***@blaine.gmane.org...

# ods-enforcer key list --zone KVI.nl
Keys:
Zone: Keytype: State: Date of next transition:
KVI.nl KSK retire 2016-08-12 16:33:10
KVI.nl ZSK active 2016-08-12 16:33:10
KVI.nl ZSK ready 2016-08-12 16:33:10
KVI.nl KSK active 2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl -t KSK
key export completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl --keystate active
KVI.nl. 3600 IN DNSKEY 257 3 8
AwEAAcVFSs7AaspVxBjZSX8WP6nsIBcSwxM4JW3ZCmxCE9J3RIe9iujl2T0UT9oPqyLC8gI42Pbg0bLJweEjJXGFnA2NDDmUq4mcdflg0s8S2R36eX7uaK22lmv/n6etgRv5haoeEQOn+2tbb5+JUzty/NS+HoPNGf0zzPewkkZg+1gKmW+lgBnWw4thMPwcGsDz8b0vUpneOPiKlA5jx0EBmKLcSh3S5RBmgSMxFdn+gIAsoFw96fJcimF74a9acf9Z19WnPOOJ3nIsp7dMpwEiWqOlEgoPPxgGIZKwF6b5kZ/uPrSsbHHDOIVv4k6gkSmqaLV8HNqTxXpl1svPNtUOzqE=
;{id = 38854 (ksk), size = 2048b}
key export completed in 0 seconds.
#

So, adding "-t KSK" did not help, but adding "--keystate active" did.
Apparently, the default is not ready and active, but "waiting for ds-seen"?

Fred.Zwarts.

"Yuri Schaeffer" schreef in bericht news:7be600ce-153f-7c42-046e-***@nlnetlabs.nl...

Hi Fred,
Post by Fred.Zwarts
# ods-enforcer key list --zone KVI.nl
KVI.nl KSK retire 2016-08-12 16:33:10
KVI.nl ZSK active 2016-08-12 16:33:10
KVI.nl ZSK ready 2016-08-12 16:33:10
KVI.nl KSK active 2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl
key export completed in 0 seconds.
I'll rephrase Hoda's words to make it a bit more accurate: key export
prints the keys that need to be submitted to the parent zone and are not
ds-seen yet. So if it would say "waiting for ds-seen" your key export
would also show you the DNSKEY record.

try:
ods-enforcer key export --zone KVI.nl -t KSK

//Yuri
Yuri Schaeffer
2016-08-10 11:27:53 UTC
Permalink
Post by Fred.Zwarts
So, to get the export the --keystate option of ods-enforcer must be
used. I could not find in the documentation how the different keystates
can be specified. I see that "retire" and "active" are accepted, but
"ds-seen", or "waiting for ds-seen" result in "unknown keystate, Error
parsing arguments". Where can I find a list of acceptable keystates?
I made an issue for us to fix this code and documentation. For now, the
code defines the following states:

"generate", "publish", "ready", "active", "retire", "dead", "unknown",
"mixed"

//Yuri
Fred.Zwarts
2016-08-10 13:13:57 UTC
Permalink
Thanks, this helps a bit.
But "dead", "unknown" and "mixed" still result in "unknown keystate, Error
parsing arguments" when used to export keys.

What should I use to export keys in the states "waiting for ds-seen" and
"waiting for ds-gone"?
(These are the ones (with the -ds option) that are needed during roll-overs
to update the parent zone.)

Thanks for your patience.
Fred.Zwarts.
Post by Fred.Zwarts
So, to get the export the --keystate option of ods-enforcer must be
used. I could not find in the documentation how the different keystates
can be specified. I see that "retire" and "active" are accepted, but
"ds-seen", or "waiting for ds-seen" result in "unknown keystate, Error
parsing arguments". Where can I find a list of acceptable keystates?
I made an issue for us to fix this code and documentation. For now, the
code defines the following states:

"generate", "publish", "ready", "active", "retire", "dead", "unknown",
"mixed"

//Yuri
Yuri Schaeffer
2016-08-10 15:38:01 UTC
Permalink
Post by Fred.Zwarts
Thanks, this helps a bit.
But "dead", "unknown" and "mixed" still result in "unknown keystate,
Error parsing arguments" when used to export keys.
Ah yes, I was reading the wrong piece of code. There is some more code
that applies a filter on the input arguments. That code accepts.

generate, publish, ready, active, retire, revoke
Post by Fred.Zwarts
What should I use to export keys in the states "waiting for ds-seen" and
"waiting for ds-gone"?
(These are the ones (with the -ds option) that are needed during
roll-overs to update the parent zone.)
As far as I can tell nothing particular. A key in those states should
show up when you do

key export -z <zone>

Doesn't this work for you?
Post by Fred.Zwarts
Thanks for your patience.
Not at all. We are happy to receive feedback so we know which parts need
our attention most. Which at the moment is probably documentation.

//Yuri
Post by Fred.Zwarts
Fred.Zwarts.
Post by Fred.Zwarts
So, to get the export the --keystate option of ods-enforcer must be
used. I could not find in the documentation how the different keystates
can be specified. I see that "retire" and "active" are accepted, but
"ds-seen", or "waiting for ds-seen" result in "unknown keystate, Error
parsing arguments". Where can I find a list of acceptable keystates?
I made an issue for us to fix this code and documentation. For now, the
"generate", "publish", "ready", "active", "retire", "dead", "unknown",
"mixed"
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Casper Gielen
2017-10-20 14:16:43 UTC
Permalink
Post by Yuri Schaeffer
Post by Fred.Zwarts
Thanks, this helps a bit.
But "dead", "unknown" and "mixed" still result in "unknown keystate,
Error parsing arguments" when used to export keys.
Ah yes, I was reading the wrong piece of code. There is some more code
that applies a filter on the input arguments. That code accepts.
generate, publish, ready, active, retire, revoke
Hi,
sorry for the late reply but I feel this part has yet to be fully
documented.

I'm trying to convert my tools to ODS2 but I ran into problems due to a
lack of understanding of the process. There is a lot of information on
https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained but it
is cryptic at best*. The usefull information seems to be on the second
half of the page.
Nowhere is explained how all the state machines go together, what is
expected from the user, or what the relation is to the states of the DS
at the parent, or wether or not backup is a state.

I consider myself an experienced ODS1 user and I'm not sure I fully get
it. This mail started out as a request for help but I solved my
particular problem while writing it. I post it anyway to validate that I
got it right and perhaps to help the next person that needs it.


Here is my description of the typical workflow from the point of view of
a user.
====

Generate ~= KEY_DATA_DS_AT_PARENT_UNSUBMITTED
state: A new key has been generated and has been added to the zone.
next: Automatic.

Publish.1
state: Key is not ready to be published.
next: Issue 'backup prepare'

Publish.2
state: Database is ready to make a backup.
next: Make a backup and issue 'backup commit'.

Publish.3 ~= KEY_DATA_DS_AT_PARENT_SUBMIT
state: Key is backed up
next: Request to upload the DS to the parent by calling 'ds-submit'.

Ready.1 ~= KEY_DATA_DS_AT_PARENT_SUBMITTED
state: Key is being published and spread to parents' DNS-servers.
next: Confirm that the DS is fully published by parent with 'ds-seen'.

Ready.2 ~= KEY_DATA_DS_AT_PARENT_SEEN.
state: Everything is ready but the new key is not actually used.
next: Nothing, just wait until the next time the enforcer runs.

Active
state: The key is in active use
next: Wait or request to stop using this key by calling 'rollover'

Retire ~= KEY_DATA_DS_AT_PARENT_RETRACT
state: Key is no longer used for new signatures
next: Request to remove the DS from the parent by calling 'ds-retract'.

Revoke ~= KEY_DATA_DS_AT_PARENT_RETRACTED
state: Key is not used at all
next: Confirm the DS has been removed by the parent with 'ds-gone'.

The signer will issue the ds-submit and ds-retract commands on it's own.
The 'ds-seen' and 'ds-gone' commands must be invoked by the user or an
external script.


=====


I'm using ODS 2.0.4 as provided by Debian Stretch.



* The comparison with ODS1 and the description of the four state
machines are more confusing than helpfull to new users. IMHO these state
machines are mostly irrelevant to the user and should not be the first
they read about.
--
Casper Gielen <***@uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
Continue reading on narkive:
Loading...