[Opendnssec-user] Not enough keys to satisfy ksk policy for zone

Matthijs Mekking matthijs at NLnetLabs.nl
Sat Jun 26 12:13:01 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Volker,

Yes this is a bug. In the meantime, you can create some more keys
manually with:

# ods-ksmutil key generate --policy <name> --interval <duration>

That should work.

Best regards,

Matthijs

On 06/25/2010 09:29 PM, Volker Janzen wrote:
> Hi all,
> 
> now I've OpenDNSSEC up and running with a Bind using views to serve zones.
> 
> I added 4 zones to Bind. Three of them are already signed. The forth will
> not sign because of this error message:
> 
> ods-enforcerd: Not enough keys to satisfy ksk policy for zone: <domain>
> 
> The docs say for this error message:
> 
>> One of these messages will be seen if the enforcer does not have enough
>> unallocated keys to provide for the zone specified. If the
>> ManualKeyGeneration tag is set in conf.xml then you will need to create
>> new keys usingods-ksmutil key generate, otherwise new keys will be
>> created when the enforcer runs next. (Don’t forget to backup any new
>> keys.)
> 
> ManualKeyGeneration is diabled in conf.xml:
> <!-- <ManualKeyGeneration/> -->
> 
> Logfile says
> 
> ods-enforcerd: ods-enforcerd will create some more keys on its next run
> 
> but it does not after some hours. This error message is repeated again and
> again.
> 
> I'm using a SoftHSM. Has anybody an idea what I need to do for getting
> automated as much keys as needed?
> 
> 
> Best regards,
>    Volker Janzen
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMJe7NAAoJEA8yVCPsQCW5S/8IALimesAVza6TxavLpAm3ofUK
+OghXsRsH20T2RvZEBRLo92L5Ibj6tF+0RhkuP7+TFtiOEHUENg0tnN9nhPh3Jvr
aSwIurRWFaZToPj9/1yIiTqQJKxd3CDmwEEcq4OBpR9Zrlz0L63zHl5Rhiz/EdXh
DtClRgV+nJ3kKZbmQLPRxgiIxBtRzqK3N4P8i+EkhCNlA/d91JQNOy9NB9nIL20p
+5nDVWs8YY4LK2v80454gq81nRtUBBkWLPCn+iZKLFJ1HwJ7H4j/eiGKrces3v7e
QlJLp2dvSbkMNA2Cwx/TcrEqu0ySwkZExUi69MJv6GXMzVoys0m9G20uKj2ewZw=
=54Qd
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list