[Opendnssec-user] Re: Not enough keys to satisfy ksk policy for zone

Duane Wessels dwessels at verisign.com
Fri Jul 2 20:33:39 CEST 2010


I'm experiencing the same problem (bug, I guess) that Volker Janzen
mentioned a couple weeks ago.  I manually added some keys as
suggested by Matthijs, yet the problem persists:

signer# ods-hsmutil list
Listing keys in all repositories.
98 keys found.

Repository            ID                                Type      
----------            --                                ----      
SoftHSM               94d8e9c1791607a04b5178311298564b  RSA/2048  
SoftHSM               ebf9d895791702b318f12d400cf8c6c9  RSA/2048  
...
SoftHSM               ddd4e1099bfc096dd7fd0698144fae93  RSA/2048  
SoftHSM               5d4dc4f3f67801a8d54a12c3367726dc  RSA/2048  
SoftHSM               0ea18a5acbb6b1afbccca8d127e31e9f  RSA/1024  
SoftHSM               89b73ec24a630648214bc5746fae858d  RSA/1024  
SoftHSM               9c1cf5f9bd7f23a398919a6e78e489b9  RSA/1024  
...


Jul  2 18:28:44 signer ods-enforcerd: Zone fourth.tld found.
Jul  2 18:28:44 signer ods-enforcerd: Policy for fourth.tld set to default.
Jul  2 18:28:44 signer ods-enforcerd: Config will be output to /usr/local/var/opendnssec/signconf/fourth.tld.xml.
Jul  2 18:28:44 signer ods-enforcerd: Not enough keys to satisfy ksk policy for zone: fourth.tld
Jul  2 18:28:44 signer ods-enforcerd: ods-enforcerd will create some more keys on its next run
Jul  2 18:28:44 signer ods-enforcerd: Error allocating ksks to zone fourth.tld
Jul  2 18:28:44 signer ods-enforcerd: Disconnecting from Database...
Jul  2 18:28:44 signer ods-enforcerd: Sleeping for 300 seconds.

I must have missed something...?

I'm using opendnssec-1.1.0 installed from FreeBSD ports.

Duane W.


More information about the Opendnssec-user mailing list