[Opendnssec-user] NOTE: keys generated in repository SoftHSM will not become active until they have been backed up
Rickard Bellgrim
rickard at opendnssec.org
Mon Feb 27 08:32:09 UTC 2012
> 2. ods-ksmutil key list
> Keys:
> Zone: Keytype: State: Date of next
> transition:
> xxx.com ZSK active 2012-03-27 15:02:21
> xxx.com KSK publish 2012-02-27 05:02:21
>
> 3. root at debian:~# ods-ksmutil backup prepare
> There were no keys to mark
> root at debian:~# ods-ksmutil backup commit
> There were no keys to mark
> root at debian:~# ods-ksmutil backup list
> Backups:
> Date: Repository:
> 2012-02-26 15:02:00 SoftHSM
>
> root at debian:~# ods-ksmutil backup done
> There were no keys to mark
> There were no keys to mark
>
> Do you have any suggestions?
I cannot say why there were no keys to mark as backed up. Do you have
<RequireBackup> set for the SoftHSM repository (see in conf.xml)? If
not, then the first message should have not been shown.
The KSK will not become active until you have uploaded the DS RR and
said ds-seen to the Enforcer. The first time you sign the zone, the
KSK will sign the DNSKEY RRset. The keys and signatures will then be
sent out. Once they have propagated for enough time, the KSK will be
ready (date of next state 2012-02-27 05:02:21). At this point you can
upload the corresponding DS RR to the parent zone. Once you say
ds-seen, the key will be marked as active.
// Rickard
More information about the Opendnssec-user
mailing list