[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Nov 15 12:42:34 UTC 2013
On 14.11.2013 15:13, Matthijs Mekking wrote:
> On 11/14/2013 02:26 PM, Klaus Darilion wrote:
>
>>>> Meanwhile I restarted the ods-signer daemon and after the next zone file
>>>> update, ods signed with the correct key. So for now it is fixed, but do
>>>> you have any ideas why the signer still used the old KSK after the KSK
>>>> rollover?
>>>
>>> Can you perhaps provide logs (off list if you wish)?
>>
>> We have syslog logging, but this is rather quiet. Is there anything
>> special for which I should look?
>
> I Just wanted to make sure no warnings or errors were logged.
I just checked the logs. The enforcer logged the rollovers (eg. waiting
for ds-seen, ...), but no errors or warnings. Also the signer did no
logged any warnings/errors. We triggered both - a manual ZSK rollover,
followed by a manual KSK rollover and both showed the same problem. The
enforcer switched to the new key, but the signer still used the old key.
I also checked the signed zone files (we backup them after every signing
run): The new KSK and the new ZSK newer showed up in the zone file, only
when I restarted the signer daemon, it switched from the old to the new
keys.
regards
Klaus
More information about the Opendnssec-user
mailing list