[Opendnssec-user] add new zone to ODS
shlyoko at gmail.com
Tue Feb 25 12:59:35 UTC 2014
Ok, I think I'm getting closer. I already had a zone using the "lab" policy
which was working well. Tried to add test.org to "lab" as well and got into
the issues I already mentioned. Then I changed the policy for test.org to
something else and it worked, signconf file was created, keys generated and
zone signed. Then tried to add two new zones, one using "lab" and another
one using "testpolicy" policy and again I had a problem for the zone using
"lab" and the one using "testpolicy" worked well. A test kasp.xml file
including both policies is attached. Just to make it clear I already have a
zone using the "lab" policy which works well, but the second zone I add
fails. Any ideas?
Thank you in advance.
On Mon, Feb 24, 2014 at 6:35 PM, Emil Natan <shlyoko at gmail.com> wrote:
> On Mon, Feb 24, 2014 at 5:35 PM, Tom Hendrikx <tom at whyscream.net> wrote:
>> On 02/24/2014 03:49 PM, Emil Natan wrote:
>> > Hello,
>> > I apologize in advance in case I'm missing something obvious.
>> > Here is the problem. I have ODS running managing 3 zones. I started with
>> > these 3 zones and did not added more zones until now. Now I add new zone
>> > test.org <http://test.org>, I tried both ways using "ods-ksmutil zone
>> > add" command and editing the zonelist file manually, in both cases I
>> > finish with zonelist containing the new zone. Then I run "ods-ksmutil
>> > update all" which shows no errors.
>> > zonelist filename set to /usr/local/ods/etc/opendnssec/zonelist.xml.
>> > kasp filename set to /usr/local/ods/etc/opendnssec/kasp.xml.
>> > Repository Keyper found
>> > No Maximum Capacity set.
>> > RequireBackup set.
>> > INFO: The XML in /usr/local/ods/etc/opendnssec/conf.xml is valid
>> > INFO: The XML in /usr/local/ods/etc/opendnssec/zonelist.xml is valid
>> > INFO: The XML in /usr/local/ods/etc/opendnssec/kasp.xml is valid
>> > In the log file I see:
>> > Feb 24 16:26:17 catwoman ods-enforcerd: Zone test.org <http://test.org>
>> > found.
>> > Feb 24 16:26:17 catwoman ods-enforcerd: Policy for test.org
>> > <http://test.org> set to lab.
>> > Feb 24 16:26:17 catwoman ods-enforcerd: Config will be output to
>> > /usr/local/ods/var/opendnssec/signconf/test.org.xml.
>> > Feb 24 16:26:17 catwoman ods-enforcerd: Not enough keys to satisfy zsk
>> > policy for zone: test.org <http://test.org>
>> > Feb 24 16:26:17 catwoman ods-enforcerd: ods-enforcerd will create some
>> > more keys on its next run
>> > Feb 24 16:26:17 catwoman ods-enforcerd: Error allocating zsks to zone
>> > test.org <http://test.org>
>> > Feb 24 16:26:17 catwoman ods-enforcerd: Disconnecting from Database...
>> > Feb 24 16:26:17 catwoman ods-enforcerd: Sleeping for 20864 seconds.
>> > Restart of the ods-enforcerd does not help and it logs exactly the same
>> > lines. test.org.xml is also not written under signconf and the
>> > permissions on that directory seem fine.
>> > I'm running ODS 1.4.
>> The ZSK policy indicates probably that you have backups required for
>> keys (the output from 'ods-ksmutil update all' also suggests this).
>> After adding a new zone, the new keys needs to be generated, then backed
>> up, and only then you can sign a zone with it.
>> If you run a daily backup job that does the backups (like I have),
>> you'll need to wait up to 24 hours before the new zone is actually signed.
> Thank you for your reply.
> I do not see keys generated for that zone (ods-ksmutil key list
> --verbose). I used "ods-ksmutil backup done" to mark all existing keys as
> backed up and then restarted the enforcer and still new keys for the new
> zone are not generated and the same messages are logged. I also do not
> understand why I have to wait, I presume there is a way to force the
> enforcer to create the keys for the new zone now.
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3276 bytes
Desc: not available
More information about the Opendnssec-user