Op 22-06-18 om 15:33 schreef Berry A.W. van Halderen: > On 06/22/2018 01:44 PM, Casper Gielen wrote: >> My main problem is that zones lose DNSKEYs and get stuk with unverifiable >> signatures. >> >> # ods-enforcer key list --zone wiskundeoptiu.nl -v >> Keys: >> Zone: Keytype: State: Date of next transition: Size: >> Algorithm: CKA_ID: Repository: KeyTag: >> wiskundeoptiu.nl KSK retire 2018-06-20 15:14:02 2048 8 >> 489db07082a644fcfa67f077627b7c7c LocalHSM 39466 >> wiskundeoptiu.nl ZSK retire 2018-06-20 15:14:02 1024 8 >> 2f3c7829c40248b5537b3cd09266678c LocalHSM 50226 >> wiskundeoptiu.nl KSK active 2018-06-20 15:14:02 2048 8 >> 758cc85fc16528184f32dbfab70663f6 LocalHSM 62161 >> wiskundeoptiu.nl ZSK active 2018-06-20 15:14:02 1024 8 >> 8472c2bac0dbfc86d3a687644a3ef4f5 LocalHSM 59790 >> wiskundeoptiu.nl ZSK ready 2018-06-20 15:14:02 1024 8 >> 3e97dcd131d9264cad2fb84676ade00e LocalHSM 28818 > > Either this is a transcript from two days ago, or indeed something is > stuck which (see later) might indeed be the case.
It is indeed a old data, although nothing really changed since other than the date of next transition. > If you had previous been running OpenDNSSEC as root, the signconf.xml > file for the zone (normally located somewhere in a signconf directory > (typically /var/opendnssec/signconf/wiskundeoptiu.nl.xml). > Might have been written as the root user, and when later running as > a different user, OpenDNSSEC may then no longer be able to replace > this file. I've verified that everything under /var/lib/opendnssec is readable and writable by the opendnssec user. The configuration, under /etc/opendnssec, is readable but not writable. > There is no feedback-loop from the signer to the enforcer, > which is one of the ideas to be placed in as (optional) feature. > What this means is that the enforcer will step through key roll > procedures regardless of wether the signer has actually picked > up the changes (in the signconf). This will further lead to > problems because this means keys might actually be purged from > the HSM and the signer will then fail further on. That's good to know. I guess this also means that if ODS server is not available (eg powered off) for a few days that when it comes back online it might take a big step forward? Ik bring it up because when this problem first surfaced (at an inconvenient time, as usual ;) ) I restored a backup from a few days before so we could get through the weekend and then shutdown ODS> In hindsight this might have caused problems when I turned it back on. Thanks for you advice! -- Casper Gielen <[email protected]> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
