[Opendnssec-user] Not enough keys to satisfy ksk policy for zone

Simon Mittelberger mittelberger at united-domains.de
Fri Oct 22 07:52:51 UTC 2010


I am experiencing the sam problems as Duane Wessels and Björn Hansson
had in June / July.

I am just asking if there are any news in this issue.

I did the following right after a fresh start with OpenDNSSEC:
- Added five zones for signing (and let it completely finish signing)
- Removed one zone (waited a few runs of the enforcer, so that cleanup
should be done)
- Added one zone with same name

The new zone doesn't get signed and the log keeps saying the following:
- Not enough keys to satisfy ksk policy for zone: sub05.domain.tld
- ods-enforcerd will create some more keys on its next run
- ods-enforcerd: Error allocating ksks to zone sub05.domain.tld

At beginning every zone gets 4 keys, two ksks and two zsks.

After the removal of the zone I purged the unused keys, but openDNSSEC
just purged 3 keys and not 4.

I tried also to delete all the files generated for this zone and to
purge all the keys related to the zone manually, before adding it again.
And I tried to generate new keys manually for the policy, but it didn't

If I add new zones with different names now, also the new zones don't
get signed properly.

It seems that there is a bug in the clean up after the zone removal and
that the whole package doesn't work properly afterwards anymore.

All the best,
Simon Mittelberger

More information about the Opendnssec-user mailing list