<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=NL link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US>Hey,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>When resigning a zone which has a serial of
1000 and policy for the serial is “keep”, and the zone still has
that same serial, I get the following message:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-signerd:
Cannot keep input serial 1000, output serial 1000 is too large. Aborting
operation<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>How can an output serial be too large? On a
sidenote, the zone was about to get a KSK rollover. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>At earlier signing I got this message which
is correct and expected: <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:12:11 signer1 ods-signerd:
Error: serial setting is set to 'keep', but input serial has not increased.
Aborting sign operation for ods<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Full log:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-signerd:
Scheduling task to sign zone ods at 1275384134.71 with resign time 180<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-signerd:
Scheduling task to sign zone ods at 1275384134.71 with resign time 180<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-signerd:
Zone ods added<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-signerd:
opening socket: /var/run/opendnssec/engine.sock<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-signerd:
Engine running<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
opendnssec-enforcer starting...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
opendnssec-enforcer Parent exiting...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
opendnssec-enforcer forked OK...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
opendnssec-enforcer started (version 1.1.0rc3), pid 13521<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
HSM opened successfully.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Reading config "/etc/opendnssec/conf.xml"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Reading config schema "/usr/local/share/opendnssec/conf.rng"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Communication Interval: 1800<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
No DS Submit command supplied<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
SQLite database set to: /var/opendnssec/kasp.db<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Log User set to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Switched log facility to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Connecting to Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Policy default found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Key sharing is Off.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Policy gradual1 found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Key sharing is Off.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
zonelist filename set to /etc/opendnssec/zonelist.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Zone ods found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Policy for ods set to gradual1.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:14 signer1 ods-enforcerd:
Config will be output to /var/opendnssec/signconf/ods.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
INFO: New DS records needed for the zone ods; details will follow<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
WARNING: KSK Retirement reached; please submit the new DS for ods and use
ods-ksmutil key ksk-roll to roll the key.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
No change to: /var/opendnssec/signconf/ods.xml<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
DSChanged<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
DS Record set has changed, the current set looks like:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
ods. 3600
IN DNSKEY 257 3 7
AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE=
;{id = 45856 (ksk), size = 2048b}<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
ods. 3600
IN DNSKEY 257 3 7
AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc=
;{id = 16581 (ksk), size = 2048b}<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
Once the new DS records are seen in DNS please issue the ds-seen command for
zone ods with the following cka_ids, b48cfc3c80e11ed41eb21ab49d7666df,
12306205b8e5aa46abb276d57544680c<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
Disconnecting from Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-enforcerd:
Sleeping for 1800 seconds.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-signerd:
Zone action to perform: 3<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:15 signer1 ods-signerd:
Cannot keep input serial 1000, output serial 1000 is too large. Aborting operation<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:25 signer1 ods-enforcerd:
Received SIGTERM, exiting...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:25 signer1 ods-enforcerd:
all done! hsm_close result: 0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:25 signer1 ods-signerd:
Received command: 'stop'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:25 signer1 ods-signerd:
close syslog<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jun 1 11:22:25 signer1 python:
Connection closed by peer<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Cheers,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Rick<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
</body>
</html>