Hi again, I've now made a test installation of the Ubuntu Focal version of opendnssec 2.1.4 and have set up a signer using the standard demo configuration which comes with the package. Signing from file to file. With this config I still get double signatures during a ZSK rollover. After the publication period (new ZSK in state Rumored), the ZSK goes to state Omnipresent and starts using the new key for signing. At this point the signer creates double signatures and continues to do so throughout the re-signing period until the old key is removed from the zone.
Is there a demo configuration somewhere with kasp timing parameters tuned so that ZSK rollover replaces the signatures without doubling them (provided that this is possible and configuration is the problem)? That would be very useful. Kind regards, Erik Østlyngen Norid AS www.norid.no On 15/01/2020 08.49, Erik P. Ostlyngen via Opendnssec-user wrote: > On 14/01/2020 10.00, Berry A.W. van Halderen via Opendnssec-user > wrote: >> Dear Erik, >> >> It will also depend on the TTL of your keyset. The old >> signatures need to be around for at least that time period plus >> some more. The ods-enforcer key list command by default only >> gives out information whether a key is active or not, not the >> real underlying status of the key presence as seen on the >> internet. If you add the flag -d to the command it will output >> a more extended interpretation with amoungst others whether a >> key is rumoured (active but not seen by everyone yet) or >> omnipresent (everyone should know about it). Only in that latter >> state a old signature will be dropped when a new signature is >> generated. >> >> Note also that it depends on how to perform a roll. The default >> is to move as swiftly as possible, not generating duplicate >> signatures or full resigns. O, and during a key roll with a >> algorithm roll over all signatures need to be kept present for >> some rolls. >> >> So without more information regarding KASP configuration and key >> state this doesn't yet look surprising to me yet. And certainly >> not wrong. There were some corrections in the past but you are >> on 2.1.4 already. > > Dear Berry, > > Thank you for your detailed and informative answer. I've tried to > use the -d option to observe how the key states change during the > rollover. It looks like the new zsk goes to state 'omnipresent' > after a short period of inactive/publishing: > > cmd> key list -d --zone bergen.no Keys: Zone: Key role: DS: > DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id: bergen.no > KSK omnipresent omnipresent omnipresent NA 1 > 1 c475614c9cbf33a1a1ae55836695590c bergen.no ZSK NA > omnipresent NA unretentive 1 0 > 7199b64ff27f109f4f86bb8ccc6fb166 bergen.no ZSK NA > omnipresent NA rumoured 1 1 > 7a0c39ac376af233453002d70ced7926 > > It is in this state, where both the old and the new zsk is > omnipresent, that the double signatures are inserted. I'm not able > to see if my TTL values or other timing parameters are causing it. > The zsk roll type is 'ZskPrePublication'. There are no algorithm > changes involved. I'm attaching the kasp policy configuration if > you would like to have a look. > > Kind regards, Erik Østlyngen Norid AS www.norid.no > > > _______________________________________________ Opendnssec-user > mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
