[Opendnssec-user] Key Rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Oct 30 18:22:04 UTC 2009


The message is trying to say that the rollover process is not fully complete. But will happen in a moment. So it is working.

Since a key must have been published long enough in the zone before is gets active. This is so that your zone will be verifiable during the entire rollover process.

The time it takes to do a rollover depends on the different intervals in your policy.

If you want the rollover process to go quicker, then you must have standby keys in your policy. They are keys the are already prepublished in your zone.

If you don't have standby keys, then will OpenDNSSEC first prepublish a key and then after a time make it active and then retire the other key.

(the text communicated will be replaced in the next release since it has a new name since release b1.)

30 okt 2009 kl. 16.13 skrev "B C" <brettlists at gmail.com<mailto:brettlists at gmail.com>>:

When I try do initiate a key rollover I get the following message:

/opt/opendnssec6/bin/ods-ksmutil key rollover --zone <http://blacksunsystems.co.uk> blacksunsystems.co.uk<http://blacksunsystems.co.uk> --keytype zsk
SQLite database set to: /var/opendnssec/kasp.db
WARNING: key rollover not completed as there are no keys in the 'ready' state; communicated will try again when it runs next

So I try to generate some new keys as follows:

/opt/opendnssec6/bin/ods-ksmutil key generate --policy default --interval 1
SQLite database set to: /var/opendnssec/kasp.db
Key sharing is Off
HSM opened successfully.
all done! hsm_close result: 0


This doesn't seem to make any difference though, Am I mis-understanding something somewhere.

Brett
<ATT00001..txt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091030/e5845e68/attachment.htm>


More information about the Opendnssec-user mailing list