[Opendnssec-user] Problem signing a zone
matthijs at NLnetLabs.nl
Mon Jun 20 14:29:50 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Ok, that explains why the signer is complaining about the configuration :).
Looking again at your previous mail, I see:
Jun 20 13:02:37 ramanujan ods-enforcerd: Not enough keys to satisfy ksk
policy for zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Jun 20 13:02:37 ramanujan ods-enforcerd: ods-enforcerd will create some
more keys on its next run
Jun 20 13:02:37 ramanujan ods-enforcerd: Error allocating ksks to zone
Do you perhaps use shared keys?
There was a known issue regarding shared keys and adding zones, but it
should have been fixed in version 1.2.x (I see you are using the latest
A quick solution that should work would be to generate more keys manually:
> ods-ksmutil key generate --policy default --interval P1Y
On 06/20/2011 03:56 PM, Casper Gielen wrote:
> Op 20-06-11 15:33, Matthijs Mekking schreef:
>> Hi Casper,
>> If it is the ods-signer that it is complaining, it has nothing to do
>> with the database. The signer does not talk to the database (the
>> enforcer does).
>> Furthermore, it is probably the signer configuration
>> (signconf/<zone>.xml) that the signer is complaining about.
>> For me to able to investigate, I would like to receive the signconf file
>> that is causing this trouble. Also, which version are you using?
> The signconf file is not generated at all.
> I'm using version 1.2.1.dfsg-1 (from the Debian repository).
> 'ods-signer queue' does not list that zone
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Opendnssec-user