AW: [Opendnssec-user] KSK rollover not working in time
Christoph.Malin at vtg.at
Christoph.Malin at vtg.at
Tue Jul 15 15:01:34 UTC 2014
Hi Klaus,
yes, I notified the enforcer with the command: ods-ksmutil notify
After I issued ods-ksmutil key list --verbose there is still only one KSK two days before the KSK retires.
Regards
Christoph
-----Ursprüngliche Nachricht-----
Von: Klaus Darilion [mailto:klaus.mailinglists at pernau.at]
Gesendet: Dienstag, 15. Juli 2014 16:38
An: Malin Christoph; opendnssec-user at lists.opendnssec.org
Betreff: Re: [Opendnssec-user] KSK rollover not working in time
On 15.07.2014 16:26, Christoph.Malin at vtg.at wrote:
> Hi,
>
>
>
> I'm playing around with opendnssec. I added a zone to openddnssec and
> it was signed.
>
> Then I changed the date of the Server to (12.07.2015) a few dates
> before the KSK retires.
>
>
>
> In the log file:
>
> Rollover of KSK expected at 2015-07-15 18:20:53 for vtg.at
>
>
>
> Also when I print the current keys:
>
> vtg.at KSK active 2015-07-15
> 18:20:53 (retire)
Have you manually run the enforcer? AFAIK the enforcer is run only once an hour and it may have not run after you have updated the local time.
regards
Klaus
>
>
>
> Then I changed the date to 2015-07-16. Suddenly a second KSK was here.
>
> vtg.at KSK ready waiting for
> ds-seen (active) 2048
>
>
>
> Why was the key not generated before the retire? I want that the key
> gets generated 10 days before he expires.
>
> Otherwise the chain of trust is broken.
>
>
>
> Can anybody help me?
>
>
>
> Best regards,
>
> Christoph
>
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
More information about the Opendnssec-user
mailing list