[Opendnssec-user] Key rollover issue...what am I doing wrong?

Jerry Lundström jerry at opendnssec.org
Tue Nov 6 15:33:54 UTC 2012


On Nov 6, 2012, at 16:17 , elsif wrote:

> Yesterday the ZSK rollover occurred.  19855 moved to "retire", "7645" was selected as the next key and made "active".
> ODS hasn't used the new "7645" key yet.  It's been 14 hours, 14 signings.
> So...when exactly is ODS supposed to start mentioning the "active" key in the zone?

The Enforcer will do the key rollovers, update the signconf for the zone and then notify the Signer that a new signconf is available.

I don't exactly know your setup but you could start by looking at the signconf for the zone, check that the right key is configured. Then look at the Signer syslog messages for when the Enforcer rolled the key if there was any problem.

As a workaround you can manually tell the Signer to update the signconf; ods-signer update <zone> .


Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121106/4332aed3/attachment.bin>

More information about the Opendnssec-user mailing list