[Opendnssec-user] Not enough keys to satisfy ksk policy for zone

Matthijs Mekking matthijs at NLnetLabs.nl
Sat Jun 26 12:13:01 UTC 2010

Hash: SHA1

Hi Volker,

Yes this is a bug. In the meantime, you can create some more keys
manually with:

# ods-ksmutil key generate --policy <name> --interval <duration>

That should work.

Best regards,


On 06/25/2010 09:29 PM, Volker Janzen wrote:
> Hi all,
> now I've OpenDNSSEC up and running with a Bind using views to serve zones.
> I added 4 zones to Bind. Three of them are already signed. The forth will
> not sign because of this error message:
> ods-enforcerd: Not enough keys to satisfy ksk policy for zone: <domain>
> The docs say for this error message:
>> One of these messages will be seen if the enforcer does not have enough
>> unallocated keys to provide for the zone specified. If the
>> ManualKeyGeneration tag is set in conf.xml then you will need to create
>> new keys usingods-ksmutil key generate, otherwise new keys will be
>> created when the enforcer runs next. (Don’t forget to backup any new
>> keys.)
> ManualKeyGeneration is diabled in conf.xml:
> <!-- <ManualKeyGeneration/> -->
> Logfile says
> ods-enforcerd: ods-enforcerd will create some more keys on its next run
> but it does not after some hours. This error message is repeated again and
> again.
> I'm using a SoftHSM. Has anybody an idea what I need to do for getting
> automated as much keys as needed?
> Best regards,
>    Volker Janzen
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list