[Opendnssec-user] deleting + adding zones causing outage
Paul Wouters
paul at nohats.ca
Mon Jun 4 20:00:28 UTC 2012
On Mon, 4 Jun 2012, Paul Wouters wrote:
>> What does the signconf file for nohats.ca and the other zone look like?
>
> Attached the nohats.ca one. The zone is stock default, eg:
It seems the signer has recovered by itself, and all nohats.ca records
now have an RRSIG. The same for the other zone with 1 RRSIG. The key
status for nohats.ca is:
[root at nohats ]# ods-ksmutil key list --verbose|grep nohats.ca
SQLite database set to: /var/opendnssec/kasp.db
nohats.ca KSK active 2012-12-15 13:56:52 (retire) 2048 8 095e4736b9eb593b2fe83f9aa876412d SoftHSM 48581
nohats.ca ZSK active 2012-07-04 13:08:36 (retire) 1024 8 1c3bfb14fed753656fbdc7ed77bcca7b SoftHSM 44754
I'm not sure if it rolled the ZSK, because I don't see a dead key.
The other zone that recovered was not rolled manually shows a key
rollover happened:
valleymedia.net KSK ready waiting for ds-seen (active) 2048 8 675dfb0879d98c455f2da938a257e923 SoftHSM 15514
valleymedia.net ZSK retire 2012-06-14 02:28:08 (dead) 1024 8 0b59b6587492ee6ac585bd384cf766ab SoftHSM 47731
valleymedia.net ZSK active 2012-07-04 13:08:37 (retire) 1024 8 49da5b64be1a6b35a0ae80de94ef5924 SoftHSM 40224
Paul
More information about the Opendnssec-user
mailing list