[Opendnssec-user] ksk rollover problem

Mathieu Arnold mat at mat.cc
Thu Jun 9 17:28:44 UTC 2011


I have a lot of KSK rollover coming this summer, and as I upgraded to 1.2.1
recently, I wanted to try to do a manual rollover first, on a zone I don't
really care about, to see if something changed from the 1.0 or 1.1 I used
last summer.

So, I did :
$ ods-ksmutil key rollover --zone ZONE --keytype KSK

That kicked the enforcer, after a while it did regenerate the signconf file
for that zone. I waited a few hours for the signer to kick in, but the new
KSK was not there, a night passed, and the new KSK was still not there.

After a few commands with ods-signer, I managed to crash the signerd, at
first, I did not understand how I did it, but now, you can reproduce it
easily with :

ods-signer queue | head

(I have 104 zones in there, so it still had things to write and it appears
it did not like not being able to write them.)

I restarted the signer and it picked up the new key, so, I guessed it must
have had a cache somewhere.

I found out that the signer had a, "update" command, so, I tried another
zone, and after the enforcer generated the new signconf, I did :
ods-signer update ZONE

That kicked the signer and it picked up the new key.

I don't really understand why the enforcer doesn't kick the signer as I
guess it should.

Mathieu Arnold

More information about the Opendnssec-user mailing list