[Opendnssec-user] Not enough keys to satisfy ksk policy for zone
mittelberger at united-domains.de
Fri Oct 22 07:52:51 UTC 2010
I am experiencing the sam problems as Duane Wessels and Björn Hansson
had in June / July.
I am just asking if there are any news in this issue.
I did the following right after a fresh start with OpenDNSSEC:
- Added five zones for signing (and let it completely finish signing)
- Removed one zone (waited a few runs of the enforcer, so that cleanup
should be done)
- Added one zone with same name
The new zone doesn't get signed and the log keeps saying the following:
- Not enough keys to satisfy ksk policy for zone: sub05.domain.tld
- ods-enforcerd will create some more keys on its next run
- ods-enforcerd: Error allocating ksks to zone sub05.domain.tld
At beginning every zone gets 4 keys, two ksks and two zsks.
After the removal of the zone I purged the unused keys, but openDNSSEC
just purged 3 keys and not 4.
I tried also to delete all the files generated for this zone and to
purge all the keys related to the zone manually, before adding it again.
And I tried to generate new keys manually for the policy, but it didn't
If I add new zones with different names now, also the new zones don't
get signed properly.
It seems that there is a bug in the clean up after the zone removal and
that the whole package doesn't work properly afterwards anymore.
All the best,
More information about the Opendnssec-user