[Opendnssec-user] Re: Key rollover over due

Fred Zwarts (KVI) F.Zwarts at KVI.nl
Fri Jul 20 11:19:48 UTC 2012

"Sara Dickinson"  wrote in message 
news:2E9664A1-8817-4ABD-981D-76AD432F7476 at sinodun.com...
>> >2012-07-17T07:11:55+02:00 christine ods-enforcerd: ERROR: Trying to make
>> >non-backed up ZSK active when RequireBackup flag is set
>> Yes, there are messages just like the above one, that's why I think the 
>> backup work matters with keyrollover.
>From our documentation page 
>"<RequireBackup> is an optional element that specifies that keys from this 
>repository may not be used until they are backed up. If backup has been 
>done, then use 'ods-ksmutil' command to notify OpenDNSSEC about this. The 
>backup notification is needed for OpenDNSSEC to be able to complete a key 

What does that mean exactly? Will OpenDNSSEC continue to sign the zone with 
the old key until the backup notification is done, or will it stop signing 
the zone, because the old key is retiring and the new key is not yet ready? 

More information about the Opendnssec-user mailing list