[Opendnssec-user] ksk rollover problem
mat at mat.cc
Thu Jun 9 17:28:44 UTC 2011
I have a lot of KSK rollover coming this summer, and as I upgraded to 1.2.1
recently, I wanted to try to do a manual rollover first, on a zone I don't
really care about, to see if something changed from the 1.0 or 1.1 I used
So, I did :
$ ods-ksmutil key rollover --zone ZONE --keytype KSK
That kicked the enforcer, after a while it did regenerate the signconf file
for that zone. I waited a few hours for the signer to kick in, but the new
KSK was not there, a night passed, and the new KSK was still not there.
After a few commands with ods-signer, I managed to crash the signerd, at
first, I did not understand how I did it, but now, you can reproduce it
easily with :
ods-signer queue | head
(I have 104 zones in there, so it still had things to write and it appears
it did not like not being able to write them.)
I restarted the signer and it picked up the new key, so, I guessed it must
have had a cache somewhere.
I found out that the signer had a, "update" command, so, I tried another
zone, and after the enforcer generated the new signconf, I did :
ods-signer update ZONE
That kicked the signer and it picked up the new key.
I don't really understand why the enforcer doesn't kick the signer as I
guess it should.
More information about the Opendnssec-user