AW: [Opendnssec-user] KSK rollover not working in time

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jul 15 15:18:28 UTC 2014


You may try to stop the enforcer, and then run it manually only one time
in debug mode:

ods-enforcerd -d -1

It also may be that the enforcer did not received the notify (IIRC they
use sockets for interaction and there may be file permission
issues),e.g. when enforcer and ksm-util are running as different users.


regards
Klaus

On 15.07.2014 17:01, Christoph.Malin at vtg.at wrote:
> Hi Klaus,
> 
> yes, I notified the enforcer with the command: ods-ksmutil notify
> 
> After I issued ods-ksmutil key list --verbose there is still only one KSK two days before the KSK retires.
> 
> Regards
> Christoph
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
> Gesendet: Dienstag, 15. Juli 2014 16:38
> An: Malin Christoph; opendnssec-user at lists.opendnssec.org
> Betreff: Re: [Opendnssec-user] KSK rollover not working in time
> 
> 
> On 15.07.2014 16:26, Christoph.Malin at vtg.at wrote:
>> Hi,
>>
>>  
>>
>> I'm playing around with opendnssec. I added a zone to openddnssec and 
>> it was signed.
>>
>> Then I changed the date of the Server to (12.07.2015)  a few dates 
>> before the KSK retires.
>>
>>  
>>
>> In the log file:
>>
>> Rollover of KSK expected at 2015-07-15 18:20:53 for vtg.at
>>
>>  
>>
>> Also when I print the current keys:
>>
>> vtg.at                          KSK           active    2015-07-15
>> 18:20:53 (retire)
> 
> Have you manually run the enforcer? AFAIK the enforcer is run only once an hour and it may have not run after you have updated the local time.
> 
> regards
> Klaus
> 
>>
>>  
>>
>> Then I changed the date to 2015-07-16. Suddenly a second KSK was here.
>>
>> vtg.at                          KSK           ready     waiting for
>> ds-seen (active)   2048
>>
>>  
>>
>> Why was the key not generated before the retire? I want that the key 
>> gets generated 10 days before he expires.
>>
>> Otherwise the chain of trust is broken.
>>
>>  
>>
>> Can anybody help me?
>>
>>  
>>
>> Best regards,
>>
>> Christoph
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>



More information about the Opendnssec-user mailing list