Hey guys,
I've been struggling with something that feels like it should be easy. I'm
using ODS
I'd like ODS to give me a list of all keys that should be in the parent zone.
As far as I can tell this is a four step process:
First extract the CKA_ID's of the keys that have Pub == 1 from 'key list -d':
root@ramachandra:~# ods-enforcer key list --zone example.com --keytype ksk -d
Zone: Key role: DS: DNSKEY:
RRSIGDNSKEY: RRSIG: Pub: Act: Id:
example.com KSK unretentive unretentive
unretentive NA 0 0 149b8a0b2bba19195208231d5bf0d6a5
example.com KSK omnipresent omnipresent
omnipresent NA 1 1 550785d7a016b8814ec44ab61cedca2a
example.com KSK hidden rumoured
rumoured NA 1 1 f9ed71a437624a79821582653086be78
-> 550785d7a016b8814ec44ab61cedca2a, f9ed71a437624a79821582653086be78
Second match the CKA_ID's from 'key list -d' with the output from 'key list -v'
to get the KeyTags.
root@ramachandra:~# ods-enforcer key list --zone example.com -v
Zone: Keytype: State: Date of next transition:
Size: Algorithm: CKA_ID: Repository: KeyTag:
example.com KSK retire waiting for ds-gone
2048 8 149b8a0b2bba19195208231d5bf0d6a5 LocalHSM 43531
example.com KSK active 2018-08-14 13:12:55
2048 8 550785d7a016b8814ec44ab61cedca2a LocalHSM 57715
example.com KSK publish 2018-08-14 13:12:55
2048 8 f9ed71a437624a79821582653086be78 LocalHSM 28411
-> 57715, 28411
Thirdly match the KeyTags with the output from 'ods-enforcer key export' to get
tot the actual key.
Finaly, repeat this steps for the various keystates ('publish ready active
retire').
ods-enforcer key export --zone $zone --keytype ksk
example.com. 3600 IN DNSKEY 257 3 8 Aw...5shk= ;{id = 43531
(ksk), size = 2048b}
ods-enforcer key export --zone mijnuvt.nl --keytype ksk --keystate active
exmaple.com. 3600 IN DNSKEY 257 3 8 Aw...axPU= ;{id = 57715
(ksk), size = 2048b}
ods-enforcer key export --zone mijnuvt.nl --keytype ksk --keystate publish
example.com. 3600 IN DNSKEY 257 3 8 Aw...aHLc= ;{id = 10840
(ksk), size = 2048b}
-> Aw...axPU=, Aw...aHLc=
It seems way to complicated for something that. Am I overlooking something?
PS 1.
The way the terms 'active' and 'publish' are used is confusing to me.
The commnand 'ods-enforcer key list -d' has columns named 'Pub' and 'Act' that
only
roughly correspond to the keystates named 'publish' and 'active'. I guess this
is a
leftover from ODS 1.
PS 2.
By default 'ods-enforcer key export' shows only keys with keystate==retire.
That seems an odd choice.
PS 3.
I would have filed feature requests if I didn't have the feeling I'm doing
something wrong.
Unless someone points out an easy solution I might file the following feature
requests:
1. Add '--keytag' and '--cka_id' options to ods-export.
2. Make ods-export by default either export exactly those keys that should be
published
in the parent zone or just every key known.
ods-enforcer key export --zone $zone --keytype ksk
-> Aw...axPU=, Aw...aHLc=
--
Casper Gielen <[email protected]> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
