[Opendnssec-user] add new zone to ODS

Emil Natan shlyoko at gmail.com
Mon Feb 24 16:35:21 UTC 2014


On Mon, Feb 24, 2014 at 5:35 PM, Tom Hendrikx <tom at whyscream.net> wrote:

> On 02/24/2014 03:49 PM, Emil Natan wrote:
> > Hello,
> >
> > I apologize in advance in case I'm missing something obvious.
> > Here is the problem. I have ODS running managing 3 zones. I started with
> > these 3 zones and did not added more zones until now. Now I add new zone
> > test.org <http://test.org>, I tried both ways using "ods-ksmutil zone
> > add" command and editing the zonelist file manually, in both cases I
> > finish with zonelist containing the new zone. Then I run "ods-ksmutil
> > update all" which shows no errors.
> >
> >   zonelist filename set to /usr/local/ods/etc/opendnssec/zonelist.xml.
> > kasp filename set to /usr/local/ods/etc/opendnssec/kasp.xml.
> > Repository Keyper found
> > No Maximum Capacity set.
> > RequireBackup set.
> > INFO: The XML in /usr/local/ods/etc/opendnssec/conf.xml is valid
> > INFO: The XML in /usr/local/ods/etc/opendnssec/zonelist.xml is valid
> > INFO: The XML in /usr/local/ods/etc/opendnssec/kasp.xml is valid
> >
> > In the log file I see:
> >
> > Feb 24 16:26:17 catwoman ods-enforcerd: Zone test.org <http://test.org>
> > found.
> > Feb 24 16:26:17 catwoman ods-enforcerd: Policy for test.org
> > <http://test.org> set to lab.
> > Feb 24 16:26:17 catwoman ods-enforcerd: Config will be output to
> > /usr/local/ods/var/opendnssec/signconf/test.org.xml.
> > Feb 24 16:26:17 catwoman ods-enforcerd: Not enough keys to satisfy zsk
> > policy for zone: test.org <http://test.org>
> > Feb 24 16:26:17 catwoman ods-enforcerd: ods-enforcerd will create some
> > more keys on its next run
> > Feb 24 16:26:17 catwoman ods-enforcerd: Error allocating zsks to zone
> > test.org <http://test.org>
> > Feb 24 16:26:17 catwoman ods-enforcerd: Disconnecting from Database...
> > Feb 24 16:26:17 catwoman ods-enforcerd: Sleeping for 20864 seconds.
> >
> > Restart of the ods-enforcerd does not help and it logs exactly the same
> > lines. test.org.xml is also not written under signconf and the
> > permissions on that directory seem fine.
> > I'm running ODS 1.4.
>
> The ZSK policy indicates probably that you have backups required for
> keys (the output from 'ods-ksmutil update all' also suggests this).
> After adding a new zone, the new keys needs to be generated, then backed
> up, and only then you can sign a zone with it.
>
> If you run a daily backup job that does the backups (like I have),
> you'll need to wait up to 24 hours before the new zone is actually signed.
>


Thank you for your reply.
I do not see keys generated for that zone (ods-ksmutil key list --verbose).
I used "ods-ksmutil backup done" to mark all existing keys as backed up and
then restarted the enforcer and still new keys for the new zone are not
generated and the same messages are logged. I also do not understand why I
have to wait, I presume there is a way to force the enforcer to create the
keys for the new zone now.

ena
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140224/3a5b29f9/attachment.htm>


More information about the Opendnssec-user mailing list