Hi Fred, Thanks for sharing the data, I now understand what has happened. The root cause must have been an error in the migration script. I'll write it down in detail so you can verify your part of the events.
1) Before migration there where two ZSKs in a rollover. Lets call those
ZSK1(old) and ZSK2(new).
2) migration script was executed. ZSK2 was wrongfully marked as entirely
propagated. (but in fact only some of the signatures where generated
with this key)
3) enforcer ran, concluded ZSK1 could be removed, instructed the signer
to stop publishing the DNSKEY of ZSK1. But the signer kept reusing
signatures of this key.
4) Now the user issued a rollover to ZSK3 to fix the situation. But now
we are in a situation where we still have signatures from ZSK1 and ZSK2.
Both will be replaced by signatures of ZSK3 over the course of 14 days.
(signature validity in KASP).
To come out of this situation you could issue a
ods-signer clear kvi.nl
All signatures will then be regenerated at the next sign run. All of
them with ZSK3
For us to do:
1) Fix migration script to better recognise current rollover.
2) Make sure the signer doesn't keep signatures of a key that is no
longer active or publish.
Regards,
Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
