[Opendnssec-user] Problem signing a zone

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Jun 20 14:29:50 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, that explains why the signer is complaining about the configuration :).

Looking again at your previous mail, I see:

Jun 20 13:02:37 ramanujan ods-enforcerd: Not enough keys to satisfy ksk
policy for zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Jun 20 13:02:37 ramanujan ods-enforcerd: ods-enforcerd will create some
more keys on its next run
Jun 20 13:02:37 ramanujan ods-enforcerd: Error allocating ksks to zone
4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa

Do you perhaps use shared keys?
There was a known issue regarding shared keys and adding zones, but it
should have been fixed in version 1.2.x (I see you are using the latest
version).

A quick solution that should work would be to generate more keys manually:

> ods-ksmutil key generate --policy default --interval P1Y


Best regards,

Matthijs


On 06/20/2011 03:56 PM, Casper Gielen wrote:
> Op 20-06-11 15:33, Matthijs Mekking schreef:
>> Hi Casper,
>>
>> If it is the ods-signer that it is complaining, it has nothing to do
>> with the database. The signer does not talk to the database (the
>> enforcer does).
>>
>> Furthermore, it is probably the signer configuration
>> (signconf/<zone>.xml) that the signer is complaining about.
>>
>> For me to able to investigate, I would like to receive the signconf file
>> that is causing this trouble. Also, which version are you using?
>>
> 
> The signconf file is not generated at all.
> I'm using version 1.2.1.dfsg-1  (from the Debian repository).
> 
> 'ods-signer queue' does not list that zone
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN/1ldAAoJEA8yVCPsQCW5syUH/2cX3ZvTs5kEnAPUsmPhMZHy
XFV3IdcxFX3oOUt81qtAJV3SyCsDg8wVG6+1o4d56f2vXFmFEdDrdt0epChhQIRO
ayO2cva8YrTwqbFpY24T5RlWVLN4sGmONJFlr9ASUpRMJa94JXYOgDNjgBPrZfTL
LhjWQhvDsSaxb/wuZk+rMGUo6sBPrLkDu4HFgs4mdmLHwbMduBEWC+dmCR1FzKmp
NL/PDmZJFP3MpDBEJhMwcVbTeUEelhkJMnlwplO7zTyhcQV2NNfx8UHZGwaVZr4H
IVo/nt1mDjq4n8XB9hBBgAijDHRRzAgivxKpzeEKIrGeC9IA4fP1b0/D1Jk/m6w=
=tQYw
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list