Discussion:
[Opendnssec-user] Key state not changing at "Date of next transition"
Arun N S
2016-05-04 06:59:48 UTC
Permalink
Hi,

Trying to configure OpenDNSSEC with SoftHSM with automatic key generation
and roll over.

While querying the database for keys:
Zone: Keytype: State: Date of next
transition (to): Size: Algorithm: CKA_ID:
Repository: Keytag:
example.com ZSK active 2016-05-04 10:40:56
(retire) 2048 8 457a1480ae07d5a966d40338777e4b93 SoftHSM
31461
example.com ZSK generate (not scheduled)
(publish) 2048 8 5ab3b8b52447860557e3b47c0c3b0ac8 SoftHSM
23151
example.com KSK publish 2016-05-04 09:47:36
(ready) 2048 8 2fcc6fb8591261b35d82b81f588b630d SoftHSM
45250

I can see that "Date of next transition" for KSK is at 2016-05-04
09:47:36 to READY. Is it supposed to happen automatically? The state did
not change until I stop and start ods-control.

Thanks,
Arun
Berry A.W. van Halderen
2016-05-04 07:13:56 UTC
Permalink
Post by Arun N S
Hi,
Trying to configure OpenDNSSEC with SoftHSM with automatic key
generation and roll over.
Zone: Keytype: State: Date of next
example.com <http://example.com> ZSK active
2016-05-04 10:40:56 (retire) 2048 8
457a1480ae07d5a966d40338777e4b93 SoftHSM 31461
example.com <http://example.com> ZSK generate
(not scheduled) (publish) 2048 8
5ab3b8b52447860557e3b47c0c3b0ac8 SoftHSM 23151
example.com <http://example.com> KSK publish
2016-05-04 09:47:36 (ready) 2048 8
2fcc6fb8591261b35d82b81f588b630d SoftHSM 45250
I can see that "Date of next transition" for KSK is at 2016-05-04
09:47:36 to READY. Is it supposed to happen automatically?
Yes, as long as the system is running transitions are performed
automatically. Except when it explicitly indicates so ("waiting
for...").
Post by Arun N S
The state did not change until I stop and start ods-control.
How do you mean, the transition is scheduled for a future time (at least
I guess your timezone). Was the state different earlier or did
it change state?

\Berry
Post by Arun N S
Thanks,
Arun
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Arun N S
2016-05-08 11:14:41 UTC
Permalink
Thanks for the response.
Post by Berry A.W. van Halderen
Post by Arun N S
Hi,
Trying to configure OpenDNSSEC with SoftHSM with automatic key
generation and roll over.
Zone: Keytype: State: Date of next
example.com <http://example.com> ZSK active
2016-05-04 10:40:56 (retire) 2048 8
457a1480ae07d5a966d40338777e4b93 SoftHSM 31461
example.com <http://example.com> ZSK generate
(not scheduled) (publish) 2048 8
5ab3b8b52447860557e3b47c0c3b0ac8 SoftHSM 23151
example.com <http://example.com> KSK publish
2016-05-04 09:47:36 (ready) 2048 8
2fcc6fb8591261b35d82b81f588b630d SoftHSM 45250
I can see that "Date of next transition" for KSK is at 2016-05-04
09:47:36 to READY. Is it supposed to happen automatically?
Yes, as long as the system is running transitions are performed
automatically. Except when it explicitly indicates so ("waiting
for...").
The "Date of next transition" is already passed and the key state did not
change until I stop and start ods-control.
Post by Berry A.W. van Halderen
Post by Arun N S
The state did not change until I stop and start ods-control.
How do you mean, the transition is scheduled for a future time (at least
I guess your timezone). Was the state different earlier or did
it change state?
This is on a test lab with shorter roll over intervals, and the future time
has already reached, and the state did not change.
Post by Berry A.W. van Halderen
\Berry
Post by Arun N S
Thanks,
Arun
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Yuri Schaeffer
2016-05-04 07:17:03 UTC
Permalink
Hi Arun,
Post by Arun N S
I can see that "Date of next transition" for KSK is at 2016-05-04
09:47:36 to READY. Is it supposed to happen automatically? The state
did not change until I stop and start ods-control.
Yes it will happen automatically. Though in OpenDNSSEC 1.4 the enforcer
daemon will run periodically. By default this is 1 hour. Configurable in
conf.xml (Enforcer/Interval).

So it may take up to this time worst case. Or by some external signal
(like restarting in your case).

//Yuri
Arun N S
2016-05-08 11:17:01 UTC
Permalink
Post by Yuri Schaeffer
Hi Arun,
Post by Arun N S
I can see that "Date of next transition" for KSK is at 2016-05-04
09:47:36 to READY. Is it supposed to happen automatically? The state
did not change until I stop and start ods-control.
Yes it will happen automatically. Though in OpenDNSSEC 1.4 the enforcer
daemon will run periodically. By default this is 1 hour. Configurable in
conf.xml (Enforcer/Interval).
So it may take up to this time worst case. Or by some external signal
(like restarting in your case).
Hi Yuri,

Thanks for the hint. Noticed I had ZSK roll over and enforcer with same
frequency. Will try with shorter enforcer frequency.

--
arun
Post by Yuri Schaeffer
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Loading...