dnssec-policy - CSK rollover help

Matthijs Mekking matthijs at isc.org
Tue Nov 22 08:03:27 UTC 2022 

Thanks for providing the data.

So it looks to me that nothing has happened yet because you scheduled 
the rollover at 20221122230000 (November 22, 2022, 23:00:00 UTC). That's 
why no successor has been created yet, the datetime is still in the future.

You can see in the state file that the key will be retired at
2022-11-23 01:05:00 UTC. This is 2 hours and 5 minutes after the 
rollover starts, that is the sum of the DNSKEY TTL plus the 
publish-safety margin, plus the configured zone propagation delay.

So if all goes well, your rollover should start tonight (UTC).

You can set the log level to debug 1 and you will likely see the time in 
seconds when the new successor needs to be generated/selected. ("keymgr: 
new successor needed for DNSKEY XXXX (CSK) (policy default-nsec3) in 
YYYY seconds").

Best regards,

Matthijs


On 21-11-2022 15:54, vom513 wrote:
> 
> 
>> On Nov 21, 2022, at 3:29 AM, Matthijs Mekking <matthijs at isc.org> wrote:
>>
>> Hi,
>>
>> It is hard to see what the problem is without any configuration or state information. Also, log level debug 3 gives you probably more useful logs when investigating a problem.
>>
>> Can you share (privately if you wish) the key **state** files, and the output of 'rndc dnssec -status' for the given zone?
> 
> Yep, nothing top secret here.  Here is rndc dnssec -status as well as the state file.  Judging by the lifetime / retirement - looks like I have a 2 hour window after the rollover ?  I suppose I can/should tweak/increase this lifetime in the dnssec-policy ?
> 
> --
> dnssec-policy: default-nsec3
> current time:  Mon Nov 21 09:50:11 2022
> 
> key: 46697 (ECDSAP256SHA256), CSK
>    published:      yes - since Wed Nov 16 22:07:32 2022
>    key signing:    yes - since Wed Nov 16 22:07:32 2022
>    zone signing:   yes - since Wed Nov 16 22:07:32 2022
> 
>    Next rollover scheduled on Tue Nov 22 18:00:00 2022
>    - goal:           omnipresent
>    - dnskey:         omnipresent
>    - ds:             omnipresent
>    - zone rrsig:     omnipresent
>    - key rrsig:      omnipresent
> 
> ; This is the state of key 46697, for acuity.tech.
> Algorithm: 13
> Length: 256
> Lifetime: 511048
> KSK: yes
> ZSK: yes
> Generated: 20221117030732 (Wed Nov 16 22:07:32 2022)
> Published: 20221117030732 (Wed Nov 16 22:07:32 2022)
> Active: 20221117030732 (Wed Nov 16 22:07:32 2022)
> Retired: 20221123010500 (Tue Nov 22 20:05:00 2022)
> Removed: 20221203021000 (Fri Dec  2 21:10:00 2022)
> DSPublish: 20221118201223 (Fri Nov 18 15:12:23 2022)
> PublishCDS: 20221118041232 (Thu Nov 17 23:12:32 2022)
> DNSKEYChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
> ZRRSIGChange: 20221118041232 (Thu Nov 17 23:12:32 2022)
> KRRSIGChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
> DSChange: 20221119221223 (Sat Nov 19 17:12:23 2022)
> DNSKEYState: omnipresent
> ZRRSIGState: omnipresent
> KRRSIGState: omnipresent
> DSState: omnipresent
> GoalState: omnipresent
> --

More information about the bind-users mailing list