[Opendnssec-user] ksk rollover problem

Siôn Lloyd sion at nominet.org.uk
Fri Jun 10 09:39:32 CEST 2011


> I found out that the signer had a, "update" command, so, I tried another
> zone, and after the enforcer generated the new signconf, I did :
> ods-signer update ZONE
>
> That kicked the signer and it picked up the new key.
>
> I don't really understand why the enforcer doesn't kick the signer as I
> guess it should.
>

Hi there.

The enforcer does try to update the signer whenever a signconf changes. 
If for any reason that call fails it should log:

LOG_ERR, "Could not call signer engine"
LOG_INFO, "Will continue: call 'ods-signer update' to manually update zones"

(if this happens once during a run it will not try again to avoid 
filling your logs).

Do you know if anything like this was logged at the time that the 
enforcer ran?

Sion



More information about the Opendnssec-user mailing list