[Opendnssec-user] Key rollover over due

=?us-ascii?B?wfXLtg==?= shuoleo at 126.com
Thu Jul 19 05:20:18 UTC 2012


Hi all,
Bellow is from my test server and the status of keys make me puzzled, it's Jul 12 now ,and the key tagged 38478 whose retire date is 2012-07-09 is still active, and the new ZSK's still ready.
Should I do a key rollover by "ods-ksmutil keyrollover -z example --keytype ZSK" manually? Isn't it automatic?
[root at CST-BJ-104:202.173.9.19 :~]$ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
example                         KSK           active    2013-07-05 20:48:04 (retire)   2048    8           4f6800a714b360cacaef8f7705b296f4  SoftHSM                           3224
example                         ZSK           active    2012-07-09 21:48:58 (retire)   1024    8           183fa4c0dfcfc41644b83565e228d74d  SoftHSM                           38478
example                         ZSK           ready     next rollover       (active)   1024    8           149877dc0a7382a80936977b36b4f53e  SoftHSM                           24096

[root at CST-BJ-104:202.173.9.19 :~]$date
Thu Jul 12 10:18:50 CST 2012

After I ran the rollover command manually,the key status changed:
[root at CST-BJ-104:202.173.9.19 :~]$ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
example                         KSK           active    2013-07-05 20:48:04 (retire)   2048    8           4f6800a714b360cacaef8f7705b296f4  SoftHSM                           3224
example                         ZSK           retire    2012-07-12 11:39:47 (dead)     1024    8           183fa4c0dfcfc41644b83565e228d74d  SoftHSM                           38478
example                         ZSK           active    2012-07-12 14:28:47 (retire)   1024    8           149877dc0a7382a80936977b36b4f53e  SoftHSM                           24096

I made <RequireBackup> valid in conf.xml, maybe I did not backup the new ZSK with command so the automatic did not work properly. So do I have to monitor the newly auto-created key and make it backup in order not to disturb the regular key rollover?



Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120719/21a2e141/attachment.htm>


More information about the Opendnssec-user mailing list