[Opendnssec-user] KSK Retirement log messages from ods-enforcerd

Discussion:

Marc Richter

2017-01-26 12:58:43 UTC

Hi,

for a test zone we have not done a KSK rollover for some time:

Keys:
Zone: Keytype: State: Date of next
transition:
uutest.com KSK dssub waiting for ds-seen
uutest.com KSK active 2016-07-25 10:23:48
uutest.com KSK ready waiting for ds-seen
uutest.com ZSK retire 2017-01-28 22:32:54
uutest.com ZSK active 2017-02-05 19:32:54
uutest.com ZSK ready next rollover

Now, when ods-enforcerd runs it logs the following:

Jan 26 12:18:49 ods-enforcerd: Rollover of KSK expected at 2016-07-25
10:23:48 for uutest.com

Which seems kind of strange to me, as that rollover date is well in the
past.

According to

https://wiki.opendnssec.org/display/DOCS/Troubleshooting

the above log message means:

This is not an error, but a notification of an upcoming
(scheduled) rollover.

As it is not an upcoming, but a missed rollover (as the "Date of next
transition" has long passed), shouldn't it log the

ods-enforcerd: WARNING: KSK Retirement reached

message instead ??

Regards
Marc
--
Marc Richter
Engr III Cslt-Ntwk Eng&Ops

Sebrathweg 20
44149 Dortmund
Germany

O +49 231 972 1293
F +49 231 972 2587
E ***@de.verizon.com
--
Marc Richter
Engr III Cslt-Ntwk Eng&Ops

Sebrathweg 20
44149 Dortmund
Germany

O +49 231 972 1293
F +49 231 972 2587
E ***@de.verizon.com

Yuri Schaeffer

2017-01-27 09:09:30 UTC

Permalink

Hi Marc,

Post by Marc Richter
As it is not an upcoming, but a missed rollover (as the "Date of next
transition" has long passed), shouldn't it log the
ods-enforcerd: WARNING: KSK Retirement reached
message instead ??

It is not really a missed rollover. It merely hasn't happened yet. It is
waiting for user input since that time.

We could append:

Jan 26 12:18:49 ods-enforcerd: Rollover of KSK expected at 2016-07-25
10:23:48 for uutest.com, waiting for human.

Or something more formal of course. :) Would that work?

//Yuri

Marc Richter

2017-01-27 09:23:42 UTC

Permalink

Hi Yuri,

well, I understood it that way, that the

Rollover of KSK expected

message is the normal, non-critcal message, being logged before the
lifetime of the KSK has actually expired.
But then, once the lifetime of a KSK has expired, the

KSK Retirement reached

message should be logged.
Did I understand that wrong ? If yes, what is the exact trigger for the
"KSK Retirement reached" message then ?

Regards
Marc

Post by Yuri Schaeffer
Hi Marc,

It is not really a missed rollover. It merely hasn't happened yet. It is
waiting for user input since that time.
Jan 26 12:18:49 ods-enforcerd: Rollover of KSK expected at 2016-07-25
10:23:48 for uutest.com, waiting for human.
Or something more formal of course. :) Would that work?
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

--
Marc Richter
Engr III Cslt-Ntwk Eng&Ops

Sebrathweg 20
44149 Dortmund
Germany

O +49 231 972 1293
F +49 231 972 2587
E ***@de.verizon.com

Yuri Schaeffer

2017-01-27 10:30:19 UTC

Permalink

Post by Marc Richter
But then, once the lifetime of a KSK has expired, the
KSK Retirement reached
message should be logged.
Did I understand that wrong ? If yes, what is the exact trigger for the
"KSK Retirement reached" message then ?

I can't find such a message (in the 1.4) source. However this should be
logged as soon as the ksk gets to the ready state:

"WARNING: New KSK has reached the ready state; please submit the DS for
%s and use ods-ksmutil key ds-seen when the DS appears in the DNS.",

//Yuri