[Opendnssec-user] deleting + adding zones causing outage

Paul Wouters paul at nohats.ca
Mon Jun 4 20:00:28 UTC 2012

On Mon, 4 Jun 2012, Paul Wouters wrote:

>> What does the signconf file for nohats.ca and the other zone look like?
> Attached the nohats.ca one. The zone is stock default, eg:

It seems the signer has recovered by itself, and all nohats.ca records
now have an RRSIG. The same for the other zone with 1 RRSIG. The key
status for nohats.ca is:

[root at nohats ]# ods-ksmutil key list --verbose|grep nohats.ca
SQLite database set to: /var/opendnssec/kasp.db
nohats.ca                       KSK           active    2012-12-15 13:56:52 (retire)   2048    8           095e4736b9eb593b2fe83f9aa876412d SoftHSM                           48581
nohats.ca                       ZSK           active    2012-07-04 13:08:36 (retire)   1024    8           1c3bfb14fed753656fbdc7ed77bcca7b SoftHSM                           44754

I'm not sure if it rolled the ZSK, because I don't see a dead key.
The other zone that recovered was not rolled manually shows a key
rollover happened:

valleymedia.net                 KSK           ready     waiting for ds-seen (active)   2048    8           675dfb0879d98c455f2da938a257e923 SoftHSM                           15514
valleymedia.net                 ZSK           retire    2012-06-14 02:28:08 (dead)     1024    8           0b59b6587492ee6ac585bd384cf766ab SoftHSM                           47731
valleymedia.net                 ZSK           active    2012-07-04 13:08:37 (retire)   1024    8           49da5b64be1a6b35a0ae80de94ef5924 SoftHSM                           40224


More information about the Opendnssec-user mailing list