[Opendnssec-user] add new zone to ODS

Tom Hendrikx tom at whyscream.net
Mon Feb 24 15:35:31 UTC 2014 

On 02/24/2014 03:49 PM, Emil Natan wrote:
> Hello,
> 
> I apologize in advance in case I'm missing something obvious.
> Here is the problem. I have ODS running managing 3 zones. I started with
> these 3 zones and did not added more zones until now. Now I add new zone
> test.org <http://test.org>, I tried both ways using "ods-ksmutil zone
> add" command and editing the zonelist file manually, in both cases I
> finish with zonelist containing the new zone. Then I run "ods-ksmutil
> update all" which shows no errors.
> 
>   zonelist filename set to /usr/local/ods/etc/opendnssec/zonelist.xml.
> kasp filename set to /usr/local/ods/etc/opendnssec/kasp.xml.
> Repository Keyper found
> No Maximum Capacity set.
> RequireBackup set.
> INFO: The XML in /usr/local/ods/etc/opendnssec/conf.xml is valid
> INFO: The XML in /usr/local/ods/etc/opendnssec/zonelist.xml is valid
> INFO: The XML in /usr/local/ods/etc/opendnssec/kasp.xml is valid
> 
> In the log file I see:
> 
> Feb 24 16:26:17 catwoman ods-enforcerd: Zone test.org <http://test.org>
> found.
> Feb 24 16:26:17 catwoman ods-enforcerd: Policy for test.org
> <http://test.org> set to lab.
> Feb 24 16:26:17 catwoman ods-enforcerd: Config will be output to
> /usr/local/ods/var/opendnssec/signconf/test.org.xml.
> Feb 24 16:26:17 catwoman ods-enforcerd: Not enough keys to satisfy zsk
> policy for zone: test.org <http://test.org>
> Feb 24 16:26:17 catwoman ods-enforcerd: ods-enforcerd will create some
> more keys on its next run
> Feb 24 16:26:17 catwoman ods-enforcerd: Error allocating zsks to zone
> test.org <http://test.org>
> Feb 24 16:26:17 catwoman ods-enforcerd: Disconnecting from Database...
> Feb 24 16:26:17 catwoman ods-enforcerd: Sleeping for 20864 seconds.
> 
> Restart of the ods-enforcerd does not help and it logs exactly the same
> lines. test.org.xml is also not written under signconf and the
> permissions on that directory seem fine.
> I'm running ODS 1.4.

The ZSK policy indicates probably that you have backups required for
keys (the output from 'ods-ksmutil update all' also suggests this).
After adding a new zone, the new keys needs to be generated, then backed
up, and only then you can sign a zone with it.

If you run a daily backup job that does the backups (like I have),
you'll need to wait up to 24 hours before the new zone is actually signed.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140224/7765d925/attachment.bin>

More information about the Opendnssec-user mailing list