Fwd: [Opendnssec-user] add new zone to ODS

Emil Natan shlyoko at gmail.com
Tue Feb 25 15:03:01 UTC 2014


Sorry, I do not remember anything strange that happened or at least I did
not pay attention. Anyway I can send you off-list excerpt of the log that
contains everything related to that policy and the zones I configured to
use that policy. I hope that can also help.
A detail that can be important though is that "lab" was not the first
policy I started with. At first I had two other policies and the conf.xml
file had <ManualKeyGeneration/> option enabled. Later I added the "lab"
policy and removed the ManualKeyGeneration option, because I did not want
to pre-generate too many keys. The first time I run the enforcer with the
"lab" policy it did not generate keys because of ManualKeyGeneration as can
be seen in the log, then I removed that option and since then I did not
encounter any problems until I tried to add more zones using that policy.


On Tue, Feb 25, 2014 at 3:35 PM, Sara Dickinson <sara at sinodun.com> wrote:

> Hi Emil,
> Sorry for the late response. This sounds similar to an issue we saw a
> while back where there were several keys in the database in an unexpected
> state, which caused a problem with the key allocation algorithm:
> https://issues.opendnssec.org/browse/OPENDNSSEC-546
> I'll send you and email off-list to confirm this and then we can clean up
> the problem keys.
> We didn't ever manage to work out how the keys got in this state - do you
> remember anything strange happening at any stage with the zones on the lab
> policy?
> We are adding tools in the next patch release that should make this
> problem easier to diagnose and cleanup and we are also looking at how we
> can make the enforcer more robust to this kind of problem in future.
> Best regards
> Sara.
> On 25 Feb 2014, at 12:59, Emil Natan <shlyoko at gmail.com> wrote:
> > Ok, I think I'm getting closer. I already had a zone using the "lab"
> policy which was working well. Tried to add test.org to "lab" as well and
> got into the issues I already mentioned. Then I changed the policy for
> test.org to something else and it worked, signconf file was created, keys
> generated and zone signed. Then tried to add two new zones, one using "lab"
> and another one using "testpolicy" policy and again I had a problem for the
> zone using "lab" and the one using "testpolicy" worked well. A test
> kasp.xml file including both policies is attached. Just to make it clear I
> already have a zone using the "lab" policy which works well, but the second
> zone I add fails. Any ideas?
> > Thank you in advance.
> >
> > ena
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140225/cddaa780/attachment.htm>

More information about the Opendnssec-user mailing list