[Opendnssec-user] Key rollover issue...what am I doing wrong?

elsif jake at elsif.net
Tue Nov 6 15:17:42 UTC 2012

SQLite database set to: /var/opendnssec/kasp.db
Zone:                           Keytype:      State:    Date of next 
transition (to):  Size:   Algorithm:  CKA_ID: Repository:
<snip>                              KSK           ready     waiting for 
ds-seen (active)   2048    8           4e73113d40c313a459d91ba0efe4b7c7 
AEP 58156
<snip>                              ZSK           retire    2012-11-13 
05:47:10 (dead)     1024    8           8b28e3a000a937d4c4e4e33774e35c3a 
AEP 19855
<snip>                              ZSK           active    2012-12-05 
16:47:10 (retire)   1024    8           07b751af4606264c62767c6894f41e3f 
AEP 7645

Yesterday the ZSK rollover occurred.  19855 moved to "retire", "7645" was 
selected as the next key and made "active".

ODS hasn't used the new "7645" key yet.  It's been 14 hours, 14 signings.

I nuked the old signed zone thinking that perhaps it was re-using old 
signatures and hadn't required signing with the new key yet, but that's 
had no effect.

So...when exactly is ODS supposed to start mentioning the "active" key in 
the zone?


More information about the Opendnssec-user mailing list