Discussion:
[Opendnssec-user] Migration to 2.0.1
Fred.Zwarts
2016-08-09 12:52:17 UTC
Permalink
Today I tried to migrate from ods 1.4.10 to 2.0.1 on our test system.
After the migration of the database and after adding the keytags I started
ods the new ods and it seems to run.
The first thing I noticed is that there are now some keys in the state
"waiting for ds-gone". I have the impression that these are our backup KSK
keys. Is this normal? I found that there is now a command "ods-enforcer key
ds-gone". This brings the keys to the state "retire". What is the idea
behind this?

I further noticed that "ods-enforcer key list" lists the keys in a different
order. Previously, all keys of a domain were listed together. Now I do not
immediately see how they are sorted. It makes it a bit more difficult to see
the state of a zone, but it can be easily worked around with the --zone
option.

Then I see that the output from "ods-enforcer backup list -v" is very
different from what previously was shown with "ods-ksmutil backup list -v".
The latter listed the backups with a date/time, but now I see a list of
hexadecimal numbers. What does it mean?

Thanks for your attention,
Fred.Zwarts.
Yuri Schaeffer
2016-08-09 14:37:05 UTC
Permalink
Hi Fred,
Post by Fred.Zwarts
Today I tried to migrate from ods 1.4.10 to 2.0.1 on our test system.
After the migration of the database and after adding the keytags I
started ods the new ods and it seems to run.
The first thing I noticed is that there are now some keys in the state
"waiting for ds-gone". I have the impression that these are our backup
KSK keys. Is this normal? I found that there is now a command
"ods-enforcer key ds-gone". This brings the keys to the state "retire".
What is the idea behind this?
First that could very well be your backup keys. 1.4. kept KSK around
with only DS published. 2.0 does not use backup keys so it is just
removing them.

The ds-gone follows the same semantics as ds-seen. In 1.4 DS operations
would happen on a pair (old KSK + new KSK) of keys. A new DS got added
to the parent and the old DS removed. So a ds-seen would imply a
ds-gone. Now, 2.0 is built to support other kind of rollovers. Hence the
need for an explicit command.
Post by Fred.Zwarts
I further noticed that "ods-enforcer key list" lists the keys in a
different order. Previously, all keys of a domain were listed together.
Now I do not immediately see how they are sorted. It makes it a bit more
difficult to see the state of a zone, but it can be easily worked around
with the --zone option.
Indeed. It is in the order the database returns the records.
Post by Fred.Zwarts
Then I see that the output from "ods-enforcer backup list -v" is very
different from what previously was shown with "ods-ksmutil backup list
-v". The latter listed the backups with a date/time, but now I see a
list of hexadecimal numbers. What does it mean?
hmm. These are the locators of the keys on your HSM. But... No state is
being printed yet. I'll make a issue for this, so we can have this on a
future release. In the mean time I advice against using <RequireBackup/>
in conf.xml. You can still backup your keys though -that was always an
external process- but you can't tell OpenDNSSEC yet about this backup
status.

Regards,
Yuri

Continue reading on narkive:
Loading...