<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi</div><div class=""><br class=""></div><div class="">Ok so I came right I added the zone entries in the zone table.</div><div class=""><br class=""></div><div class="">Then I added the keyData for the KSK’s and linked them to the correct zone and the correct key in the hsmKey table.</div><div class=""><br class=""></div><div class="">I started and then stopped the OpenDNSSEC system.</div><div class=""><br class=""></div><div class="">It created the default keyState entries I used that and the following commands to get the keys back to ACTIVE.</div><div class=""><b class="">ods-enforcer key list -d</b></div><div class=""><b class="">ods-enforcer key list -v</b></div><div class=""><b class=""><br class=""></b></div><div class=""> - Side note it would be super useful to know what the database states = key states.</div><div class=""><b class=""><br class=""></b></div><div class="">The DNSKEY entries and the DNSKEY RRSIG still didn’t appear in the zone the sea is signed correctly.</div><div class=""><br class=""></div><div class="">I then set nextChange in the zone table back, this started a ZSK rollover, I did that a few times and it got stuck on PUBLISH.</div><div class=""><br class=""></div><div class="">I rolled the machine clock forward a day and the new ZSK changed to READY and the old one to RETIRE and the zone re-signed and contained all the DNSKEY entries and the DNSKEY RRSIG.</div><div class=""><br class=""></div><div class="">I then rolled the machine clock back and resigned, the zone file looks fine all the RRSIG’s are valid and signed with the new ZSK.</div><div class=""><br class=""></div><div class="">OpenDNSSEC shooting its own DB seems to be a rather drastic bug, what is the timeline on a fix for this?</div><div class=""><br class=""></div><div class="">Regards</div><div class="">—</div><div class="">David Peall</div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On 26 Sep 2016, at 1:05 PM, David Peall <<a href="mailto:david@dnservices.co.za" class="">david@dnservices.co.za</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi </div><div class=""><br class=""></div>I’ve been looking around I’m using the following to extract the DNSKEY values out of the HSM and match them to the zone files so I can re link them in the database.<div class="">KSK - ods-hsmutil dnskey <id> test 257 8<br class=""><div class=""><div class=""><div class="">ZSK - ods-hsmutil dnskey <id> test 257 8<br class=""></div></div></div></div></div></div></blockquote><div><br class=""></div><div>Typo </div><div><br class=""></div><div>ZSK - ods-hsmutil dnskey <id> test 256 8<br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""></div></div></div><div class=""><br class=""></div><div class="">The rest of the database looks fairly straight forward if there is any heads up I’d appreciate it.</div><div class=""><br class=""></div><div class="">Regards</div><div class="">—</div><div class="">David Peall</div><div class=""><br class=""></div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On 26 Sep 2016, at 12:30 PM, David Peall <<a href="mailto:david@dnservices.co.za" class="">david@dnservices.co.za</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi<div class=""><br class=""></div><div class="">Is it possible to rebuild the database for 3 zones that were delete from the database. ods-signer is still signing the 3 domains:</div><div class=""><br class=""></div><b class="">ods-signer zones<br class=""></b>There are 3 zones configured<br class="">- 1<br class="">- 2<br class=""><div class="">- 3</div><div class=""><br class=""></div><div class=""><b class="">ods-enforcer zone list</b></div>Database set to: opendnssec<br class="">No zones in database.<br class=""><div class="">zone list completed in 0 seconds. </div><div class=""><br class=""></div><div class="">Keys are still in the HSM.</div><div class=""><br class=""></div><div class="">I need to keep the KSK at minimum the ZSK and RRSIG records can be re-generated.</div><div class=""><br class=""></div><div class="">Regards</div><div class="">—</div><div class="">David Peall</div><div class=""><br class=""></div></div>_______________________________________________<br class="">Opendnssec-user mailing list<br class=""><a href="mailto:Opendnssec-user@lists.opendnssec.org" class="">Opendnssec-user@lists.opendnssec.org</a><br class=""><a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" class="">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br class=""></div></blockquote></div><br class=""></div></div></div></div></div>_______________________________________________<br class="">Opendnssec-user mailing list<br class=""><a href="mailto:Opendnssec-user@lists.opendnssec.org" class="">Opendnssec-user@lists.opendnssec.org</a><br class="">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user<br class=""></div></blockquote></div><br class=""></body></html>