[Opendnssec-user] ksk-roll bug or misunderstanding?

Tom Hendrikx tom at whyscream.net
Thu Mar 18 22:17:10 UTC 2010


On 15/03/10 15:22, Tom Hendrikx wrote:
> 
> This looks better. I'll try a ksk-roll with this key and see if the date
> format has any influence.
> 

After some more tests with trunk (latest test with r3069), I still
cannot roll the ksk:

# ods-ksmutil key list -v | grep KSK
SQLite database set to: /var/lib/opendnssec/kasp.db
tomhendrikx.nl                  KSK           active    2010-03-18
19:05:14       a1                                softHSM
           4665
tomhendrikx.nl                  KSK           ready     next rollover
          5a72dd7ddde39052a5dd391557685d3a  softHSM
      27414

# ods-ksmutil key ds-seen --zone tomhendrikx.nl --keytag 27414
SQLite database set to: /var/lib/opendnssec/kasp.db
Found key with CKA_ID 5a72dd7ddde39052a5dd391557685d3a
Key is already active

# ods-ksmutil key ds-seen --zone tomhendrikx.nl --keytag 27414
--retire-current
SQLite database set to: /var/lib/opendnssec/kasp.db
Found key with CKA_ID 5a72dd7ddde39052a5dd391557685d3a
Key is already active

# ods-ksmutil key ksk-retire --zone tomhendrikx.nl --keytag 4665
*WARNING* This will retire the currently active KSK; are you sure? [y/N] y
SQLite database set to: /var/lib/opendnssec/kasp.db
Found key with CKA_ID a1
Error: completing this action would leave no active keys on zone,
quitting...


So I still cannot roll out my old ksk and set the 'ready' key to active.
It seems that ods sees the new key as 'active' when it is still in
'ready' state.

@sion: I'll send the current kasp.db to you off-list, as requested in
your mail.

-- 
Regards,
	Tom

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100318/87057ab9/attachment.bin>


More information about the Opendnssec-user mailing list