[Opendnssec-user] Problem signing a zone

Casper Gielen c.gielen at uvt.nl
Mon Jun 20 15:30:07 UTC 2011


Op 20-06-11 16:29, Matthijs Mekking schreef:
> Ok, that explains why the signer is complaining about the configuration :).
> 
> Looking again at your previous mail, I see:
> 
> Jun 20 13:02:37 ramanujan ods-enforcerd: Not enough keys to satisfy ksk
> policy for zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> Jun 20 13:02:37 ramanujan ods-enforcerd: ods-enforcerd will create some
> more keys on its next run
> Jun 20 13:02:37 ramanujan ods-enforcerd: Error allocating ksks to zone
> 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> 
> Do you perhaps use shared keys?
> There was a known issue regarding shared keys and adding zones, but it
> should have been fixed in version 1.2.x (I see you are using the latest
> version).

Ho, I don't use shared keys, every zone uses its own keys

> 
> A quick solution that should work would be to generate more keys manually:
> 
>> ods-ksmutil key generate --policy default --interval P1Y


Unfortunately this does not solve the problem. If you are interested I
will send the configs to you by private mail. Thanks for looking into this.


-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110620/1feaa306/attachment.bin>


More information about the Opendnssec-user mailing list