[Opendnssec-user] standby key no longer opendnssec 2.0

Discussion:

Bas van den Dikkenberg

2016-11-21 13:42:25 UTC

Hi

In opendnssec 1.4.x i had te option for a standby key I know it was experimantal.
Is this option remove in 2.x?

Bas

Yuri Schaeffer

2016-11-21 14:32:30 UTC

Permalink

Post by Bas van den Dikkenberg
In opendnssec 1.4.x i had te option for a standby key I know it was experimantal.
Is this option remove in 2.x?

Yes. This concept doesn't exist in 2.0. On the other hand 2.0 gained the
possibility to initiate a rollover at _any_ given time.

//Yuri

Fred.Zwarts

2016-11-21 15:08:56 UTC

Permalink

Post by Yuri Schaeffer

Post by Bas van den Dikkenberg
In opendnssec 1.4.x i had te option for a standby key I know it was experimantal.
Is this option remove in 2.x?

Yes. This concept doesn't exist in 2.0.

For both KSK and ZSK? I had the impression that standby keys are still
possibkle for ZSK. I used them in 2.0.1, but then the rollover failed badly.
Has it been removed completely in 2.0.3?

Yuri Schaeffer

2016-11-22 07:44:59 UTC

Permalink

Post by Fred.Zwarts

Post by Yuri Schaeffer
Yes. This concept doesn't exist in 2.0.

For both KSK and ZSK? I had the impression that standby keys are still
possibkle for ZSK. I used them in 2.0.1, but then the rollover failed
badly. Has it been removed completely in 2.0.3?

Standby keys where never a thing in any 2.0 release. The failed rollover
involved standby keys but was not caused by it. The bugs in the
migration script caused the problems.

When doing the migration, 2.0 was aware of these standby keys but they
would not get any special treatment. Just regular old keys that it tried
to phase out.

//Yuri

Bas van den Dikkenberg

2016-11-22 11:49:25 UTC

Permalink

How can shorten the time of keystate generate to publish it's now 1 day .

Bas

-----Oorspronkelijk bericht-----
Van: Opendnssec-user [mailto:opendnssec-user-***@lists.opendnssec.org] Namens Yuri Schaeffer
Verzonden: dinsdag 22 november 2016 08:45
Aan: opendnssec-***@lists.opendnssec.org
Onderwerp: Re: [Opendnssec-user] standby key no longer opendnssec 2.0

Post by Fred.Zwarts

Post by Yuri Schaeffer
Yes. This concept doesn't exist in 2.0.

For both KSK and ZSK? I had the impression that standby keys are still
possibkle for ZSK. I used them in 2.0.1, but then the rollover failed
badly. Has it been removed completely in 2.0.3?

Standby keys where never a thing in any 2.0 release. The failed rollover involved standby keys but was not caused by it. The bugs in the migration script caused the problems.

When doing the migration, 2.0 was aware of these standby keys but they would not get any special treatment. Just regular old keys that it tried to phase out.

//Yuri

Yuri Schaeffer

2016-11-22 21:13:40 UTC

Permalink

Post by Bas van den Dikkenberg
How can shorten the time of keystate generate to publish it's now 1 day .

You can lower <MaxZoneTTL> in the KASP. Default it is 1 day. The pace of
ZSK rollovers is mostly dictated by the TTL of the records, but the
enforcer component does not access the actual zone data. MaxZoneTTL is
used to indicate the longest TTL in your zone and prevents rollovers
happen to quickly. The signer by the way uses this value to cap TTLs in
the zone. So setting this value lower does not break your zone DNSSEC wise.

ODS 2.0 is more conservative than 1.4 in publishing the DNSKEY in a
newly added zone. This is the result of 2.0 being more flexible WRT
rollovers (i.e. support algorithm rollover).

Regards,
Yuri

Bas van den Dikkenberg

2016-11-22 12:02:04 UTC

Permalink

@Yuri can you remove the standby key's from the documentation if they or no longer in 2.0

-----Oorspronkelijk bericht-----
Van: Opendnssec-user [mailto:opendnssec-user-***@lists.opendnssec.org] Namens Yuri Schaeffer
Verzonden: dinsdag 22 november 2016 08:45
Aan: opendnssec-***@lists.opendnssec.org
Onderwerp: Re: [Opendnssec-user] standby key no longer opendnssec 2.0

Post by Fred.Zwarts

Post by Yuri Schaeffer
Yes. This concept doesn't exist in 2.0.

For both KSK and ZSK? I had the impression that standby keys are still
possibkle for ZSK. I used them in 2.0.1, but then the rollover failed
badly. Has it been removed completely in 2.0.3?

Standby keys where never a thing in any 2.0 release. The failed rollover involved standby keys but was not caused by it. The bugs in the migration script caused the problems.

When doing the migration, 2.0 was aware of these standby keys but they would not get any special treatment. Just regular old keys that it tried to phase out.

//Yuri

Bas van den Dikkenberg

2016-11-22 12:56:17 UTC

Permalink

Why does the generate state of an key take 1 day ?

-----Oorspronkelijk bericht-----
Van: ***@mje99.posix.co.za [mailto:***@mje99.posix.co.za] Namens Mark Elkins
Verzonden: dinsdag 22 november 2016 13:47
Aan: Bas van den Dikkenberg <***@Dikkenberg.net>; Yuri Schaeffer
<***@nlnetlabs.nl>; opendnssec-***@lists.opendnssec.org
Onderwerp: Re: [Opendnssec-user] standby key no longer opendnssec 2.0

Don't remove the documentation about stand-by keys, re-write it so when
someone looks for info on stand-by keys - they find out how it is now
done - with immediate roll-overs.. etc.

Post by Bas van den Dikkenberg
@Yuri can you remove the standby key's from the documentation if they or no longer in 2.0
-----Oorspronkelijk bericht-----
Namens Yuri Schaeffer
Verzonden: dinsdag 22 november 2016 08:45
Onderwerp: Re: [Opendnssec-user] standby key no longer opendnssec 2.0

Post by Fred.Zwarts

Post by Yuri Schaeffer
Yes. This concept doesn't exist in 2.0.

For both KSK and ZSK? I had the impression that standby keys are still
possibkle for ZSK. I used them in 2.0.1, but then the rollover failed
badly. Has it been removed completely in 2.0.3?

Standby keys where never a thing in any 2.0 release. The failed rollover
involved standby keys but was not caused by it. The bugs in the migration
script caused the problems.
When doing the migration, 2.0 was aware of these standby keys but they would
not get any special treatment. Just regular old keys that it tried to phase
out.
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Yuri Schaeffer

2016-11-23 08:47:32 UTC

Permalink

Post by Bas van den Dikkenberg

Post by Bas van den Dikkenberg
@Yuri can you remove the standby key's from the documentation if they or no longer in 2.0

Actually I can not find any reference to standby keys in the 2.0
documentation. (https://wiki.opendnssec.org/display/DOCS20/kasp.xml)

Post by Bas van den Dikkenberg
Don't remove the documentation about stand-by keys, re-write it so when
someone looks for info on stand-by keys - they find out how it is now
done - with immediate roll-overs.. etc.

Sounds good. I'll add a note.

//Yuri