[Opendnssec-user] Key rollover over due
=?us-ascii?B?wfXLtg==?=
shuoleo at 126.com
Thu Jul 19 05:20:18 UTC 2012
Hi all,
Bellow is from my test server and the status of keys make me puzzled, it's Jul 12 now ,and the key tagged 38478 whose retire date is 2012-07-09 is still active, and the new ZSK's still ready.
Should I do a key rollover by "ods-ksmutil keyrollover -z example --keytype ZSK" manually? Isn't it automatic?
[root at CST-BJ-104:202.173.9.19 :~]$ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
example KSK active 2013-07-05 20:48:04 (retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM 3224
example ZSK active 2012-07-09 21:48:58 (retire) 1024 8 183fa4c0dfcfc41644b83565e228d74d SoftHSM 38478
example ZSK ready next rollover (active) 1024 8 149877dc0a7382a80936977b36b4f53e SoftHSM 24096
[root at CST-BJ-104:202.173.9.19 :~]$date
Thu Jul 12 10:18:50 CST 2012
After I ran the rollover command manually,the key status changed:
[root at CST-BJ-104:202.173.9.19 :~]$ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
example KSK active 2013-07-05 20:48:04 (retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM 3224
example ZSK retire 2012-07-12 11:39:47 (dead) 1024 8 183fa4c0dfcfc41644b83565e228d74d SoftHSM 38478
example ZSK active 2012-07-12 14:28:47 (retire) 1024 8 149877dc0a7382a80936977b36b4f53e SoftHSM 24096
I made <RequireBackup> valid in conf.xml, maybe I did not backup the new ZSK with command so the automatic did not work properly. So do I have to monitor the newly auto-created key and make it backup in order not to disturb the regular key rollover?
Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120719/21a2e141/attachment.htm>
More information about the Opendnssec-user
mailing list