[Opendnssec-user] Problem signing a zone
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Jun 20 14:29:50 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, that explains why the signer is complaining about the configuration :).
Looking again at your previous mail, I see:
Jun 20 13:02:37 ramanujan ods-enforcerd: Not enough keys to satisfy ksk
policy for zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Jun 20 13:02:37 ramanujan ods-enforcerd: ods-enforcerd will create some
more keys on its next run
Jun 20 13:02:37 ramanujan ods-enforcerd: Error allocating ksks to zone
4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Do you perhaps use shared keys?
There was a known issue regarding shared keys and adding zones, but it
should have been fixed in version 1.2.x (I see you are using the latest
version).
A quick solution that should work would be to generate more keys manually:
> ods-ksmutil key generate --policy default --interval P1Y
Best regards,
Matthijs
On 06/20/2011 03:56 PM, Casper Gielen wrote:
> Op 20-06-11 15:33, Matthijs Mekking schreef:
>> Hi Casper,
>>
>> If it is the ods-signer that it is complaining, it has nothing to do
>> with the database. The signer does not talk to the database (the
>> enforcer does).
>>
>> Furthermore, it is probably the signer configuration
>> (signconf/<zone>.xml) that the signer is complaining about.
>>
>> For me to able to investigate, I would like to receive the signconf file
>> that is causing this trouble. Also, which version are you using?
>>
>
> The signconf file is not generated at all.
> I'm using version 1.2.1.dfsg-1 (from the Debian repository).
>
> 'ods-signer queue' does not list that zone
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJN/1ldAAoJEA8yVCPsQCW5syUH/2cX3ZvTs5kEnAPUsmPhMZHy
XFV3IdcxFX3oOUt81qtAJV3SyCsDg8wVG6+1o4d56f2vXFmFEdDrdt0epChhQIRO
ayO2cva8YrTwqbFpY24T5RlWVLN4sGmONJFlr9ASUpRMJa94JXYOgDNjgBPrZfTL
LhjWQhvDsSaxb/wuZk+rMGUo6sBPrLkDu4HFgs4mdmLHwbMduBEWC+dmCR1FzKmp
NL/PDmZJFP3MpDBEJhMwcVbTeUEelhkJMnlwplO7zTyhcQV2NNfx8UHZGwaVZr4H
IVo/nt1mDjq4n8XB9hBBgAijDHRRzAgivxKpzeEKIrGeC9IA4fP1b0/D1Jk/m6w=
=tQYw
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list