-
Type:
Support
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.10
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
Hello,
We are currently running OpenDNSSEC version 2.1.13 on a Redhat EL9 system. In our configuration, we have set up two slots in SoftHSM, one for ZSK (Zone Signing Key) and one for KSK (Key Signing Key). Auto key generation is disabled, and we have configured key rollovers for 6 months for ZSK and 1 year for KSK. The keys are imported into OpenDNSSEC (ODS) and the Hardware Security Module (HSM) with inception times aligned with the key rollover schedule. Specifically, the ZSK is configured to roll over automatically.
We have observed that while the new keys are correctly incepted at the specified intervals, the rollover process does not occur as expected. This has resulted in multiple ZSK keys being active simultaneously (the old key status does not change to retire), despite our policy being set to the default "prepublish." Furthermore, when we attempt a manual rollover, both the active keys retired simultaneously.
We expected that the ZSK keys should roll over automatically at the configured intervals, ensuring a smooth transition without multiple active keys. Similarly for KSK.
Appreciate your support.
Thanks,
Arun