<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=NL link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US>Hello all,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>After signing the nl zone (NSEC3 opt-in)
and copying the succesfully signed zone from /var/opendnssec/signed to /var/opendnssec/unsigned
and performing a key rollover the logging tells me the zone is unsigned. It is
signing now.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>At 12:20 I copied the signed zone to the
/unsigned directory and after that I issues the ‘ods-control start’
command.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>You see a new ZSK is generated. During this
log I entered the ‘ods-ksmutil backup done’ command to able
OpenDNSSEC to rollover the ZSK.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Communication Interval: 3600<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Log User set to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Switched log facility to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Connecting to Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Communication Interval: 3600<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Policy default found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Communication Interval: 3600<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Key sharing is Off.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Log User set to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Switched log facility to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Log User set to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock already
locked, sleep<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Switched log facility to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock already
locked, sleep<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7 with id:
20301656daf649d6fd31739a92a76f17 in repository: luna1 and database.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Zone nl found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Policy for nl set to default.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/nl.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active
when RequireBackup flag is set<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-signerd: Received command: 'update nl'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-signerd: Scheduling task to sign zone nl at 1261047772.03
with resign time 7200<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Could not call signer engine<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Will continue: call 'ods-signer update' to
manually update zones<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Disconnecting from Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-signerd: Client socket shut down<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-enforcerd: Sleeping for 3600 seconds.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-signerd: Zone action to perform: 3<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:43 signer2 ods-signerd: Resorting signed zone: nl<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Connecting to Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Policy default found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Key sharing is Off.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Zone nl found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Policy for nl set to default.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/nl.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active
when RequireBackup flag is set<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock already
locked, sleep<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: No change to: /var/opendnssec/signconf/nl.xml<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Disconnecting from Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:36:53 signer2 ods-enforcerd: Sleeping for 3600 seconds.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Connecting to Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Policy default found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Key sharing is Off.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Zone nl found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Policy for nl set to default.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/nl.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active
when RequireBackup flag is set<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: No change to: /var/opendnssec/signconf/nl.xml<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Disconnecting from Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:37:03 signer2 ods-enforcerd: Sleeping for 3600 seconds.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:44:21 signer2 ods-signerd: stderr from sorter: Number of records sorted:
8421033<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:44:21 signer2 ods-signerd: Preprocessing signed zone: nl<o:p></o:p></span></p>
<p class=MsoNormal><b><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:44:21 signer2 ods-signerd: No signed zone yet<o:p></o:p></span></b></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Dec 17
12:44:21 signer2 ods-signerd: Sorting zone: nl<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Is there anything else I should do to let
OpenDNSSEC know it’s a signed zone? Or did something not go as intended
here?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>This is my keylist prior to the rollover:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Keys:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>Zone:
Keytype:
State: Date of next transition:
CKA_ID:
Repository:
Keytag:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>nl
KSK active
2010-12-15 16:57:12
40526f58ceda729b8e20dcb8fa78b5d9 softHSM
27996<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>nl
KSK ready
next
rollover
a60e3a9d993ec0baf2b58aae8cd2332c
softHSM
59425<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>nl
ZSK retire
2009-12-23 20:05:22
e1edaee7a2e4a5753e9e0b7ec699d2fb
softHSM
22607<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>nl
ZSK retire
2009-12-23 23:19:16
f32c8e8b144a01f7d23cba89b0cb94c1
softHSM
18500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>nl ZSK
retire 2009-12-24
13:21:05
9ec98215a1ea0e6c22531299cac5f34a
luna1
5135<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>nl
ZSK active
2010-01-16 00:21:05 e0cb42739b2b9cc7cd62244753604bd0
luna1
25322<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>nl
ZSK ready
next
rollover
cb700dd8b460928c1cf89c29ed8a6e87
luna1
2723<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>This is my /tmp dir:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Courier New"'>drwxr-xr-x 2 root
root 4096 Dec 17 10:44 .<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Courier New"'>drwxr-xr-x 6 root
root 4096 Dec 17 12:37 ..<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Courier New"'>-rw-r--r-- 1 root
root 802188537 Dec 17 01:17 nl.nsecced<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Courier New"'>-rw-r--r-- 1 root
root 39798162 Dec 17 13:00 nl.processed<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Courier New"'>-rw-r--r-- 1 root
root 10 Dec 17 04:33 nl.serial<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:"Courier New"'>-rw-r--r-- 1 root
root 1861768988 Dec 17 04:30 nl.signed<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>-rw-r--r--
1 root root 395836542 Dec 17 12:44 nl.signed.sorted<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>-rw-r--r--
1 root root 396952583 Dec 17 12:51 nl.sorted<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-family:"Courier New"'>-rw-r--r--
1 root root 1861567228 Dec 17 12:44 nl.unsorted<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Cheers,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Rick<o:p></o:p></span></p>
</div>
</body>
</html>