<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Håvard,<br>
<br>
I also ran into this a couple of times. I "fixed" this by using
the "ods-ksmutil key generate" command. <br>
<br>
Regards, <br>
<br>
Maurice Mahieu <br>
<br>
<br>
On 01/28/2016 10:32 AM, Yuri Schaeffer wrote:<br>
</div>
<blockquote cite="mid:56A9E013.6090906@nlnetlabs.nl" type="cite">
<pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Håvard,
For now I made an issue in our tracker for it
<a class="moz-txt-link-freetext" href="https://issues.opendnssec.org/browse/OPENDNSSEC-752">https://issues.opendnssec.org/browse/OPENDNSSEC-752</a>
Regards,
Yuri
On 25-01-16 15:35, Havard Eidnes wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I had reason to inspect the log from the physical console on our
signer host, and found messages from ods-enforcerd related to two
of our zones:
Jan 24 17:07:01 hugin ods-enforcerd: Error allocating ksks to zone
godegrep.no Jan 24 17:07:16 hugin ods-enforcerd: Error allocating
zsks to zone 2.1.2.6.1.9.3.7.7.4.nrenum.net
and that this is a recurring theme.
Looking at the log reveals a bit more:
Jan 25 14:12:48 hugin ods-enforcerd: Zone godegrep.no found. Jan 25
14:12:48 hugin ods-enforcerd: Policy for godegrep.no set to
default. Jan 25 14:12:48 hugin ods-enforcerd: Config will be output
to /var/opendnssec/signconf/godegrep.no.xml. Jan 25 14:12:48 hugin
ods-enforcerd: Not enough keys to satisfy ksk policy for zone:
godegrep.no. keys_to_allocate(1) = keys_needed(1) -
(keys_available(1) - keys_pending_retirement(1)) Jan 25 14:12:48
hugin ods-enforcerd: Tried to allocate 1 keys, failed on allocating
key number 1 Jan 25 14:12:48 hugin ods-enforcerd: ods-enforcerd
will create some more keys on its next run Jan 25 14:12:48 hugin
ods-enforcerd: Error allocating ksks to zone godegrep.no
It seems to me that the calculation above wrt. keys_to_allocate is
correct, but the statement that ods-enforcerd will create more keys
on its next run appears to be a blatant lie.
Listing the keys for these zones reveals that some of the "Date of
next transition" has come and gone without the transition to the
next state having taken place, and one of the key sets has a key in
"generate" state which isn't visible witout the "-all" switch:
ods @ hugin: {6} ods-ksmutil key list -all --zone godegrep.no
Keys: Zone: Keytype: State: Date
of next transition: godegrep.no KSK
active 2015-12-13 15:12:43 godegrep.no ZSK
retire 2015-12-29 09:45:48 godegrep.no ZSK
active 2016-01-07 04:30:48 godegrep.no ZSK
generate (not scheduled)
ods @ hugin: {7} ods-ksmutil key list --all --zone
2.1.2.6.1.9.3.7.7.4.nrenum.net Keys: Zone:
Keytype: State: Date of next transition:
2.1.2.6.1.9.3.7.7.4.nrenum.net KSK active 2016-12-09
23:42:31 2.1.2.6.1.9.3.7.7.4.nrenum.net ZSK active
2016-01-06 00:25:00
ods @ hugin: {8}
I'm not sure when this started.
So...
1) Any idea how OpenDNSSEC got itself into this state?
2) Are there any manual steps I have to perform to get it out of
this state for these two zones?
3) Rhetorical: why doesn't OpenDNSSEC recover by itself from this?
Best regards,
- Håvard _______________________________________________
Opendnssec-user mailing list <a class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
</blockquote>
<pre wrap="">-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlap4BMACgkQI3PTR4mhaviRvgCgoYBMVUFAMkjqDZ/ster8n5G5
MwoAoL8HgOSsNoeCD1Dpg+PGzi+TGizc
=pWOH
-----END PGP SIGNATURE-----
_______________________________________________
Opendnssec-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<table
style="color:#000000;font-family:georgia;font-size:8pt;line-height:12pt;margin-left:-4px;padding:0;">
<tbody>
<tr>
<td style="font-size:10pt;line-height:12pt;"> Maurice Mahieu
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:12pt;padding-bottom:10pt;">
System Engineer | <a href="mailto:maurice@info.nl"
style="color:#000;text-decoration:none;">maurice@info.nl</a>
| <a href="tel:+31205309111"
style="color:#000;text-decoration:none;">+31 (0)20 53 09
111</a> </td>
</tr>
<tr>
<td style="font-size:10pt;line-height:16pt;padding-bottom:0;
padding-top: 3px;"> <a href="http://www.info.nl"
style="text-decoration:none;"> <span
style="background-color:#000;color:#fff;font-size:13pt;text-decoration:none;display:inline-block;padding:4px
3px
1px;line-height:1;margin-bottom:-5px;margin-right:-5px;-webkit-font-smoothing:
antialiased;"><no link="">info.nl</no></span> </a>
<a
href="http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig"
style="color:#000;text-decoration:none;"><em
style="color:#000;text-decoration:none;">making
platforms work</em></a> </td>
</tr>
<tr>
<td
style="font-family:georgia;font-size:10pt;line-height:12pt;color:#000;
padding-top: 0;"> Sint Antoniesbreestraat 16 | 1011 HB
Amsterdam | <a href="tel:+31205309100"
style="color:#000;text-decoration:none;">+31 (0)20 530
91 00</a> </td>
</tr>
<tr>
<td style="font-size:10pt;line-height:12pt;"> <a
style="color:#000;text-decoration:none;"
href="https://www.facebook.com/infonl">Facebook</a> | <a
style="color:#000;text-decoration:none;"
href="https://twitter.com/infonl">Twitter</a> | <a
style="color:#000;text-decoration:none;"
href="https://www.linkedin.com/company/info.nl">LinkedIn</a> |
<a style="color:#000;text-decoration:none;"
href="https://plus.google.com/+infonl/">Google+</a> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>