dnssec-policy - CSK rollover help
Matthijs Mekking
matthijs at isc.org
Tue Nov 22 08:03:27 UTC 2022
Thanks for providing the data.
So it looks to me that nothing has happened yet because you scheduled
the rollover at 20221122230000 (November 22, 2022, 23:00:00 UTC). That's
why no successor has been created yet, the datetime is still in the future.
You can see in the state file that the key will be retired at
2022-11-23 01:05:00 UTC. This is 2 hours and 5 minutes after the
rollover starts, that is the sum of the DNSKEY TTL plus the
publish-safety margin, plus the configured zone propagation delay.
So if all goes well, your rollover should start tonight (UTC).
You can set the log level to debug 1 and you will likely see the time in
seconds when the new successor needs to be generated/selected. ("keymgr:
new successor needed for DNSKEY XXXX (CSK) (policy default-nsec3) in
YYYY seconds").
Best regards,
Matthijs
On 21-11-2022 15:54, vom513 wrote:
>
>
>> On Nov 21, 2022, at 3:29 AM, Matthijs Mekking <matthijs at isc.org> wrote:
>>
>> Hi,
>>
>> It is hard to see what the problem is without any configuration or state information. Also, log level debug 3 gives you probably more useful logs when investigating a problem.
>>
>> Can you share (privately if you wish) the key **state** files, and the output of 'rndc dnssec -status' for the given zone?
>
> Yep, nothing top secret here. Here is rndc dnssec -status as well as the state file. Judging by the lifetime / retirement - looks like I have a 2 hour window after the rollover ? I suppose I can/should tweak/increase this lifetime in the dnssec-policy ?
>
> --
> dnssec-policy: default-nsec3
> current time: Mon Nov 21 09:50:11 2022
>
> key: 46697 (ECDSAP256SHA256), CSK
> published: yes - since Wed Nov 16 22:07:32 2022
> key signing: yes - since Wed Nov 16 22:07:32 2022
> zone signing: yes - since Wed Nov 16 22:07:32 2022
>
> Next rollover scheduled on Tue Nov 22 18:00:00 2022
> - goal: omnipresent
> - dnskey: omnipresent
> - ds: omnipresent
> - zone rrsig: omnipresent
> - key rrsig: omnipresent
>
> ; This is the state of key 46697, for acuity.tech.
> Algorithm: 13
> Length: 256
> Lifetime: 511048
> KSK: yes
> ZSK: yes
> Generated: 20221117030732 (Wed Nov 16 22:07:32 2022)
> Published: 20221117030732 (Wed Nov 16 22:07:32 2022)
> Active: 20221117030732 (Wed Nov 16 22:07:32 2022)
> Retired: 20221123010500 (Tue Nov 22 20:05:00 2022)
> Removed: 20221203021000 (Fri Dec 2 21:10:00 2022)
> DSPublish: 20221118201223 (Fri Nov 18 15:12:23 2022)
> PublishCDS: 20221118041232 (Thu Nov 17 23:12:32 2022)
> DNSKEYChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
> ZRRSIGChange: 20221118041232 (Thu Nov 17 23:12:32 2022)
> KRRSIGChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
> DSChange: 20221119221223 (Sat Nov 19 17:12:23 2022)
> DNSKEYState: omnipresent
> ZRRSIGState: omnipresent
> KRRSIGState: omnipresent
> DSState: omnipresent
> GoalState: omnipresent
> --
More information about the bind-users
mailing list