[Opendnssec-user] Version 1.1.0 and KSK rollover logic
Sion Lloyd
sion at nominet.org.uk
Wed Jul 7 09:34:00 UTC 2010
> So, I'm a bit stuck, because the enforcer tells me :
>
> Jul 7 10:56:20 ns1 ods-enforcerd: WARNING: KSK Retirement reached; please
> submit the new DS for 242.143.79.in-addr.arpa and use ods-ksmutil key
> ksk-roll to roll the key.
>
> Which I can't do, because the DS can't be accepted :-)
>
> Chicken, Egg...
This message is during a scheduled rollover and so a replacement key _should_
have been prepublished in the zone.
The situation where the DS exists without the key being in the zone is for a
standby KSK only.
Sion
More information about the Opendnssec-user
mailing list