Discussion:
[Opendnssec-user] termination of obs2 DelegationSignerSubmitCommand input stream missing?
PGNet Dev
2016-12-21 14:57:51 UTC
Permalink
The email should have been sent at an earlier stage. Internally DS
* unsubmitted
* submit
* submitted (waiting for ds-seen)
* seen
* retract
* retracted
The transition between submit and submitted should go automatically when
you have a DelegationSignerSubmitCommand specified. Like you have.
trying to follow/understand keystates

delete & re-add

ods-enforcer zone delete --all
ods-enforcer zone add -z example.info -p lab

check current time

date
Wed Dec 21 06:41:33 PST 2016

note the current, reported key state ... 'publish'

ods-enforcer key list --verbose
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
example.info KSK publish 2016-12-21 06:45:01 2048 8 acec57818bc81329aff8b50d1b368c37 SoftHSM 31180
example.info ZSK ready 2016-12-21 06:45:01 1024 8 93d581dac130c9ff795c246698511e97 SoftHSM 4800

wait until after "Date of next transition"

date
Wed Dec 21 06:46:58 PST 2016

key state has NOT changed after 'next transition'; not sure what SHOULD have shown ...

ods-enforcer key list --verbose
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
example.info KSK publish 2016-12-21 06:51:01 2048 8 acec57818bc81329aff8b50d1b368c37 SoftHSM 31180
example.info ZSK ready 2016-12-21 06:51:01 1024 8 93d581dac130c9ff795c246698511e97 SoftHSM 4800

eventually, simply waiting longer

date
Wed Dec 21 06:53:29 PST 2016

ods-enforcer key list --verbose
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
example.info KSK ready waiting for ds-seen 2048 8 acec57818bc81329aff8b50d1b368c37 SoftHSM 31180
example.info ZSK active 2016-12-21 10:35:01 1024 8 93d581dac130c9ff795c246698511e97 SoftHSM 4800

still no "keystate_ds_x_cmd" in logs, and no email sent
Havard Eidnes
2016-12-21 15:19:24 UTC
Permalink
In case the enforcer logged an error it should prepend it with
'keystate_ds_x_cmd'. So please grep your logs for that.
I've something amiss re state mgmt.
at verbosity = 6, on exec
/usr/local/opendnssec/sbin/ods-enforcer zone add -z example.info -p lab
there's no such log entry,
Again, after zone add the DS doesn't get submitted immediately.
OpenDNSSEC should first have to make sure the keys and signatures are
sufficiently propagated. You'll have to wait for the "waiting for
ds-seen" state.
If I recall correctly, with OpenDNSSEC 1.4, I think you also had to
wait for the keys in the (Soft)HSM database to be marked as being
"backed up" in order for the keys to proceed to the state before
"waiting for ds-seen", which I think is "publish", not sure what the
state before that is called. Not sure if that's the case with
OpenDNSSEC 2.0, though; I've not dared venture into that quite yet.

Regards,

- HÃ¥vard
Yuri Schaeffer
2016-12-21 15:10:52 UTC
Permalink
Post by PGNet Dev
key state has NOT changed after 'next transition'; not sure what SHOULD have shown ...
This as a remnant of the 1.4 enforcer. Which expressed states in
'publish', 'ready', etc. 2.0 has a more fine grained model. But it
presents the state in something familiar to 1.4 users. (at least it
tries to find a presentation as close as possible to the actual state,
which is not always a perfect match).

Use ods-enforcer key list --debug to see what *really* is going on.
Post by PGNet Dev
ods-enforcer key list --verbose
example.info KSK publish 2016-12-21 06:51:01 2048 8 acec57818bc81329aff8b50d1b368c37 SoftHSM 31180
example.info ZSK ready 2016-12-21 06:51:01 1024 8 93d581dac130c9ff795c246698511e97 SoftHSM 4800
eventually, simply waiting longer
date
Wed Dec 21 06:53:29 PST 2016
ods-enforcer key list --verbose
example.info KSK ready waiting for ds-seen 2048 8 acec57818bc81329aff8b50d1b368c37 SoftHSM 31180
example.info ZSK active 2016-12-21 10:35:01 1024 8 93d581dac130c9ff795c246698511e97 SoftHSM 4800
still no "keystate_ds_x_cmd" in logs, and no email sent
What you are describing should indeed either have send a mail or have
logged something. Your theory about not terminating the command could
maybe also be the case. In any case I'll have a look.

Have you tried executing the script manually running under the
opendnssec user? - did it work?

//Yuri

Loading...