Discussion:
[Opendnssec-user] odd-enforce zapping domains
David Peall
2016-09-26 10:30:52 UTC
Permalink
Hi

Is it possible to rebuild the database for 3 zones that were delete from the database. ods-signer is still signing the 3 domains:

ods-signer zones
There are 3 zones configured
- 1
- 2
- 3

ods-enforcer zone list
Database set to: opendnssec
No zones in database.
zone list completed in 0 seconds.

Keys are still in the HSM.

I need to keep the KSK at minimum the ZSK and RRSIG records can be re-generated.

Regards
—
David Peall
David Peall
2016-09-26 11:05:57 UTC
Permalink
Hi

I’ve been looking around I’m using the following to extract the DNSKEY values out of the HSM and match them to the zone files so I can re link them in the database.
KSK - ods-hsmutil dnskey <id> test 257 8
ZSK - ods-hsmutil dnskey <id> test 257 8

The rest of the database looks fairly straight forward if there is any heads up I’d appreciate it.

Regards
—
David Peall
Post by David Peall
Hi
ods-signer zones
There are 3 zones configured
- 1
- 2
- 3
ods-enforcer zone list
Database set to: opendnssec
No zones in database.
zone list completed in 0 seconds.
Keys are still in the HSM.
I need to keep the KSK at minimum the ZSK and RRSIG records can be re-generated.
Regards
—
David Peall
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
David Peall
2016-09-26 16:43:51 UTC
Permalink
Hi

Ok so I came right I added the zone entries in the zone table.

Then I added the keyData for the KSK’s and linked them to the correct zone and the correct key in the hsmKey table.

I started and then stopped the OpenDNSSEC system.

It created the default keyState entries I used that and the following commands to get the keys back to ACTIVE.
ods-enforcer key list -d
ods-enforcer key list -v

- Side note it would be super useful to know what the database states = key states.

The DNSKEY entries and the DNSKEY RRSIG still didn’t appear in the zone the sea is signed correctly.

I then set nextChange in the zone table back, this started a ZSK rollover, I did that a few times and it got stuck on PUBLISH.

I rolled the machine clock forward a day and the new ZSK changed to READY and the old one to RETIRE and the zone re-signed and contained all the DNSKEY entries and the DNSKEY RRSIG.

I then rolled the machine clock back and resigned, the zone file looks fine all the RRSIG’s are valid and signed with the new ZSK.

OpenDNSSEC shooting its own DB seems to be a rather drastic bug, what is the timeline on a fix for this?

Regards
—
David Peall
Post by David Peall
Hi
I’ve been looking around I’m using the following to extract the DNSKEY values out of the HSM and match them to the zone files so I can re link them in the database.
KSK - ods-hsmutil dnskey <id> test 257 8
ZSK - ods-hsmutil dnskey <id> test 257 8
Typo

ZSK - ods-hsmutil dnskey <id> test 256 8
Post by David Peall
The rest of the database looks fairly straight forward if there is any heads up I’d appreciate it.
Regards
—
David Peall
Post by David Peall
Hi
ods-signer zones
There are 3 zones configured
- 1
- 2
- 3
ods-enforcer zone list
Database set to: opendnssec
No zones in database.
zone list completed in 0 seconds.
Keys are still in the HSM.
I need to keep the KSK at minimum the ZSK and RRSIG records can be re-generated.
Regards
—
David Peall
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Yuri Schaeffer
2016-09-27 08:12:50 UTC
Permalink
Post by David Peall
OpenDNSSEC shooting its own DB seems to be a rather drastic bug, what is
the timeline on a fix for this?
I am going to guess you added your zones via the command line interface
and proceeded later with a 'ods-enforcer update all'. Which indeed
deletes all zones not in your zonelist.xml (anymore). This was reported
last week on this list as well and we intend to release a fix for this
this week.

Regards,
Yuri

Hoda Rohani
2016-09-26 11:45:32 UTC
Permalink
Hi David,

After deleting the zones in the enforcer, you need to run 'ods-signer update'. This command forces signer to get the updates, you won't see deleted zones in the signer's queue any more.



Yes, keys remain in the hsm. For deleting keys, you can issue 'ods-hsmutil remove id'.



Regards,

Hoda Rohani



From: Opendnssec-user [mailto:opendnssec-user-***@lists.opendnssec.org] On Behalf Of David Peall
Sent: Monday, September 26, 2016 12:31 PM
To: Opendnssec-***@lists.opendnssec.org List <opendnssec-***@lists.opendnssec.org>
Subject: [Opendnssec-user] odd-enforce zapping domains



Hi



Is it possible to rebuild the database for 3 zones that were delete from the database. ods-signer is still signing the 3 domains:



ods-signer zones
There are 3 zones configured
- 1
- 2

- 3



ods-enforcer zone list

Database set to: opendnssec
No zones in database.

zone list completed in 0 seconds.



Keys are still in the HSM.



I need to keep the KSK at minimum the ZSK and RRSIG records can be re-generated.



Regards

—

David Peall
Loading...