Hi Fred,
Today I tried to migrate from ods 1.4.10 to 2.0.1 on our test system. After the migration of the database and after adding the keytags I started ods the new ods and it seems to run. The first thing I noticed is that there are now some keys in the state "waiting for ds-gone". I have the impression that these are our backup KSK keys. Is this normal? I found that there is now a command "ods-enforcer key ds-gone". This brings the keys to the state "retire". What is the idea behind this?
First that could very well be your backup keys. 1.4. kept KSK around with only DS published. 2.0 does not use backup keys so it is just removing them.
The ds-gone follows the same semantics as ds-seen. In 1.4 DS operations would happen on a pair (old KSK + new KSK) of keys. A new DS got added to the parent and the old DS removed. So a ds-seen would imply a ds-gone. Now, 2.0 is built to support other kind of rollovers. Hence the need for an explicit command.
I further noticed that "ods-enforcer key list" lists the keys in a different order. Previously, all keys of a domain were listed together. Now I do not immediately see how they are sorted. It makes it a bit more difficult to see the state of a zone, but it can be easily worked around with the --zone option.
Indeed. It is in the order the database returns the records.
Then I see that the output from "ods-enforcer backup list -v" is very different from what previously was shown with "ods-ksmutil backup list -v". The latter listed the backups with a date/time, but now I see a list of hexadecimal numbers. What does it mean?
hmm. These are the locators of the keys on your HSM. But... No state is being printed yet. I'll make a issue for this, so we can have this on a future release. In the mean time I advice against using <RequireBackup/> in conf.xml. You can still backup your keys though -that was always an external process- but you can't tell OpenDNSSEC yet about this backup status.
Regards, Yuri _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
