Hi Yuri, On 07/18/2016 05:02 PM, Yuri Schaeffer wrote: > I found a couple of errors in the migration script. Causing confusion in > the enforcer about the role of a key (ksk/zsk). I would advice you to > run the migration again but since you are live that might not be feasible.
Not really ... too many things have been changed already since. > If you are adventurous we could try to patch your database? Assuming you > are. Lets do this: OK, a little bit, so I tried this. > - stop opendnssec entirely > - backup your kasp.db > - run the following queries on your db: > > UPDATE keyData > SET dsatparent = 0 > WHERE role = 2; > > UPDATE keyState > SET state = 4 > WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN ( > SELECT keyData.id > FROM keyData > WHERE keyData.role = 2); > > UPDATE keyState > SET state = 4 > WHERE keyState.type = 1 AND keyDataId IN ( > SELECT keyData.id > FROM keyData > WHERE keyData.role = 1); > > This should get rid of those pesky ds-submit messages for ZSKs. And > prevent premature rollovers. Yes, the key states look a lot more reasonable now indeed. But it has also managed to break my cacert.net zone again, just for a while I hope. That zone is now signed by a retired ZSK, which is not in the zone file anymore, while the formerly active ZSK is now in the 'ready' state, which will hopefully change to 'active' at 2016-07-19 00:06:09. > - start ODS back up > - Make sure the enforcer processed all zones. If needed run ods-enforcer > enforce; ods-enforcer signconf (we want to make sure it writes a new > signconf even if it thinks there is nothing to do); (I did all of that) >> Well, after waiting a day, a somewhat friendlier solution has presented >> itself. After exoiry of a timer for the newly created KSK 330, the >> ods-enforcer key export -d *did* actually give me the DS records for >> KSK 330 (and some other useless ones). After uploading these DS records >> to the registrar, the zone did come back to life, and is basically >> looking healthy now. >> >> Still, this is not a feasible method to repair my other zones, since >> I don't want to see them die DNSSEC-wise, while waiting for the timer >> to expire. Only after that (many hours later) ods-enforcer key export -d >> will finally give me the desired DS records. > > I expect after fixing the DB this will give you correct results. Not really, for the cacert.net zone *nothing* is exported (might be considered reasonable since the current KSK has already been uploaded), but for the cacert.com zone ODS continues to export useless retired records (all KSK now, that's a minor improvement I guess). Which means I still have to wait until tomorrow morning before I can export the DS of the new KSK which is still in 'publish' state ... but cannot be published lacking the DS :-( Regards, -- wytze _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
