[Opendnssec-user] RetireSafety and PublishSafety not honored in testing

Thu, 26 Nov 2020 05:26:13 -0800 

Hi,
We have two staging signers running, in preperation of a migration of our zones to new signers. In our staging environment we have one signer designated as active (ns-signer01) and one designated as backup (ns-signer02). The backup signer has a different policy than the active, it has both KSK and ZSK keys set to ManualRollover. The plan is that the active signer performs key rollovers and syncs it's keys and state to the backup signer every hour. We're using SoftHSM and we're syncing /var/lib/softhsm and /usr/local/var/opendnssec over. Since the backup signer has a different policy than the master, the backup runs `ods-enforcer policy import` after every sync to update the kasp.db received from the master with the settings from kasp.xml. Both the ISNIC-KSK and the ISNIC-ZSK repositories have RequireBackup set.
During testing we've configured an aggressive KASP for frequest rollovers and signings, to spot problems. Our settings from kasp.xml are: 

<Keys>
            <TTL>PT300S</TTL>
            <RetireSafety>PT360S</RetireSafety>
            <PublishSafety>PT360S</PublishSafety>
            <Purge>P14D</Purge>

            <KSK>
                <Algorithm length="4096">8</Algorithm>
                <Lifetime>P10Y</Lifetime>
                <Repository>ISNIC-KSK</Repository>
                <ManualRollover/>
            </KSK>

            <ZSK>
                <Algorithm length="1024">8</Algorithm>
                <Lifetime>PT2H</Lifetime>
                <Repository>ISNIC-ZSK</Repository>
            </ZSK>
</Keys>
We're monitoring the DNSKEY records on both the active and the backup signers every 1 minute. We see that the active signer is rotating the ZSK every 2 hours as per the KASP, but what's troubling us is that it we never see more than one ZSK in the DNSKEY set. It just goes from one ZSK to another between checks. Our understanding of the RetireSafety and PublishSafety options was that we would see two ZSK records for 12 minutes (6 minutes before rollover and 6 minutes after rollover).
Can anyone see why we're not seeing what we're expecting, and if our expections or our configuration is wrong? 


.einar

ISNIC

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to