[Yeti DNS Discuss] First KSK rollover in Yeti Testbed

Stephane Bortzmeyer bortzmeyer at nic.fr
Sat Jul 11 13:35:31 UTC 2015


On Tue, Jun 30, 2015 at 06:14:54PM +0800,
 Davey Song <ljsong at biigroup.cn> wrote 
 a message of 146 lines which said:

> New KSK is created and released at Jun 30 12:31 2015 (UTC time)
> The old KSK:
> Inactive: 20150707123125 (Tue Jul  7 20:31:25 2015)
> Delete: 20150714123125 (Tue Jul 14 20:31:25 2015)

I'm not sure that this timing was correct. At least one Yeti resolver
now SERVFAILs (see the thread "Problem in the rollover?" on this
mailing list).

The failing machine uses Unbound and its state is:

% cat /etc/unbound/autokey/yeti-key.key 
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1436620973 ;;Sat Jul 11 13:22:53 2015
;;last_success: 1436453195 ;;Thu Jul  9 14:46:35 2015
;;next_probe_time: 1436624107 ;;Sat Jul 11 14:15:07 2015
;;query_failed: 237
;;query_interval: 43200
;;retry_time: 8640
.	86400	IN	DNSKEY	257 3 8 AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHPzloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s= ;{id = 55954 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=5 ;;lastchange=1436291512 ;;Tue Jul  7 17:51:52 2015
.	85667	IN	DNSKEY	257 3 8 AwEAAchb6LrHCdz9Yo55u1id/b+X1FqVDF66xNrhbgnV+vtpiq7pDsT8KgzSijNuGs4GLGsMhVE/9H0wOtmVRUQqQ50PHZsiqg8gqB6i5zLortjpaCLZS7Oke1xP+6LzVRgT4c8NXlRBg3m/gDjzijBD0BMACjVGZNv0gReAg2OCr9dBrweE6DnM6twG7D2NyuGjpWzKeJfNd3Hek39V9NGHuABGkmYG16XCao37IWcP/s/57HuBom5U3SNfuzfVDppokatuL6dXp9ktuuVXsESc/rUERU/GPleuNfRuPHFr3URmrRud4DYbRWNVIsxqkSLrCldDjP1Hicf3S8NgVHJTSRE= ;{id = 24439 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1435757697 ;;Wed Jul  1 13:34:57 2015

The current KSK (55954) is still in ADDPEND (RFC 5011, section
4.2). This means it is still during the hold-down period (RFC 5011,
section 2.2). The RFC states (section 2.4.1) "The add hold-down time
is 30 days or the expiration time of the original TTL of the first
trust point DNSKEY RRSet that contained the new key, whichever is
greater." Since this expiration time is also one month, it means the
old KSK should not have been deleted so early, since only two weeks
were elapsed.

If my analysis is correct (RFC 5011 experts here?), it means the
rollover was not done properly.



More information about the discuss mailing list