[Opendnssec-user] opendnssec on Ubuntu 10.04 32bit

Rickard Bellgrim rickard at opendnssec.org
Fri Jul 1 08:57:12 UTC 2011

On Fri, Jul 1, 2011 at 10:47 AM, Bryton <bryton at tznic.or.tz> wrote:
> 1:I have saved the zone I want to sing to the unsigned source as the configs
> say and I was hoping ods-signer could sign it and I get the signed zone in
> the signed directory but I don't get anything.Further to this I decided to
> do  ods-signer sign tz   and I got Zone tz scheduled for immediate re-sign.
> why does it saying it immediately and I went to the signed directory nothing
> there.

The Signer Engine will only read the zone once you give it the
"ods-signer sign tz"-command. So every time you edit the zone.
Remember to give this command.

"ods-signer queue" will output what the Signer Engine is working with.
If something failed or if the zone was badly formated, then have a
look in syslog.

> 2:I hope now that all config are ok to get the DS so that I can publish to
> the parent How do i get this.

You can publish your DS once the KSK is in the ready state.

You can get the key in three different ways:
* See syslog
* Configure DelegationSignerSubmitCommand
* ods-ksmutil key export --zone tz --keystate ready --ds

> 3:I did the bellow command and see the list bellow:-
> root at ubuntu-serv-dnssec:/var/lib# ods-ksmutil key list --verbose --zone tz
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition:  CKA_ID:
> Repository:                       Keytag:
> tz                              KSK           publish   2011-07-02
> 01:04:24       2861479296b2cb6ed0f884a479b5e99d
> SoftHSM                           40949
> tz                              ZSK           active    2011-07-31
> 11:04:24       880a44b2e853db6a26368ecdf292898d
> SoftHSM                           48528
> Wat is the DATE OF NEXT TRANSITION.I was hoping it to be 2012-07-02 01:04:24
> (Meaning its after 1 year for KSK ) ZSK is ok i think.

A key goes between different states.

KSK: Publish -> Ready -> (submit ds and ds-seen) -> Active

At this time you will have 1 year until the next transition.

// Rickard

More information about the Opendnssec-user mailing list