[Opendnssec-user] Not enough keys to satisfy ksk policy for zone

Volker Janzen voja at voja.de
Fri Jun 25 19:29:13 UTC 2010

Hi all,

now I've OpenDNSSEC up and running with a Bind using views to serve zones.

I added 4 zones to Bind. Three of them are already signed. The forth will
not sign because of this error message:

ods-enforcerd: Not enough keys to satisfy ksk policy for zone: <domain>

The docs say for this error message:

> One of these messages will be seen if the enforcer does not have enough
> unallocated keys to provide for the zone specified. If the
> ManualKeyGeneration tag is set in conf.xml then you will need to create
> new keys usingods-ksmutil key generate, otherwise new keys will be
> created when the enforcer runs next. (Don’t forget to backup any new
> keys.)

ManualKeyGeneration is diabled in conf.xml:
<!-- <ManualKeyGeneration/> -->

Logfile says

ods-enforcerd: ods-enforcerd will create some more keys on its next run

but it does not after some hours. This error message is repeated again and

I'm using a SoftHSM. Has anybody an idea what I need to do for getting
automated as much keys as needed?

Best regards,
   Volker Janzen

More information about the Opendnssec-user mailing list