[Opendnssec-user] opendnssec on Ubuntu 10.04 32bit

Rickard Bellgrim rickard at opendnssec.org
Fri Jul 1 09:29:42 UTC 2011


On Fri, Jul 1, 2011 at 11:17 AM, Bryton <bryton at tznic.or.tz> wrote:
>
> Thanks Richard,
>
> Now this means that if I want to sign the zone before KSK is in ACTIVE state
> it is not possible.and further to this What can I do to make the KSK to move
> from Publish to Active as soon as possible?This is because After checking
> the queue I have seen the bellow
>
> I have 1 tasks scheduled
> It is now Fri Jul  1 12:13:51 2011
> On Fri Jul  1 13:37:31 2011 I will sign zone tz

The zone will be signed before the KSK is considered to be active. It
is just that the DNSKEY+RRSIG must propagate before you can send up
the DS to the parent zone.

The Enforcer follows your policy where you have configured the timing
parameters. It would not be wise to speed the process up unless you
can reflect the new timing parameters in your infrastructure.

The Signer Engine will check if the signatures needs to be renewed
every re-sign interval. If you have no signed zone in the location
given by zonelist.xml, than check your syslog for further assistance.
Did the Auditor complain in syslog?

Try running "ods-signer sign tz" again and the check syslog. What does it say?

// Rickard



More information about the Opendnssec-user mailing list