[Opendnssec-user] KSK rollover not working in time

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jul 15 14:37:44 UTC 2014


On 15.07.2014 16:26, Christoph.Malin at vtg.at wrote:
> Hi,
> 
>  
> 
> I’m playing around with opendnssec. I added a zone to openddnssec and it
> was signed.
> 
> Then I changed the date of the Server to (12.07.2015)  a few dates
> before the KSK retires.
> 
>  
> 
> In the log file:
> 
> Rollover of KSK expected at 2015-07-15 18:20:53 for vtg.at
> 
>  
> 
> Also when I print the current keys:
> 
> vtg.at                          KSK           active    2015-07-15
> 18:20:53 (retire) 

Have you manually run the enforcer? AFAIK the enforcer is run only once
an hour and it may have not run after you have updated the local time.

regards
Klaus

> 
>  
> 
> Then I changed the date to 2015-07-16. Suddenly a second KSK was here.
> 
> vtg.at                          KSK           ready     waiting for
> ds-seen (active)   2048
> 
>  
> 
> Why was the key not generated before the retire? I want that the key
> gets generated 10 days before he expires.
> 
> Otherwise the chain of trust is broken.
> 
>  
> 
> Can anybody help me?
> 
>  
> 
> Best regards,
> 
> Christoph
> 
>  
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 



More information about the Opendnssec-user mailing list