[Opendnssec-user] Re: Transition time in the past.

Fred.Zwarts. F.Zwarts at KVI.nl
Tue Mar 25 13:59:39 UTC 2014 

Hi Sion,

Thanks for the fast reaction.

ods-ksmutil key list --verbose shows the following for the zone:
erdg.usor.nl                    KSK           dsready   When required 
(keypub)   2048    8           67f63f125f0bdecc4d944d63acbc02b6  SoftHSM 
29011
erdg.usor.nl                    KSK           active    2014-12-17 09:33:44 
(retire)   2048    8           de3caeee0bb69f71f028c360029f328e  SoftHSM 
54566
erdg.usor.nl                    ZSK           active    2014-03-19 16:24:03 
(retire)   1024    8           1c3824bbf4435bc34878845cc44f8194  SoftHSM 
39801
erdg.usor.nl                    ZSK           ready     next rollover 
(active)   1024    8           97a9eb2b25236af4bb0e1ee998e0131d  SoftHSM 
37948

In the log file I see messages like:
Mar 25 02:00:05 dns ods-enforcerd: Not enough keys to satisfy zsk policy for 
zone: erdg.usor.nl

I can generate keys manually, but shouldn't these keys be generated 
automatically, if needed?
Could it be that other zones with the same (shared keys) policy were created 
later and are not yet at there roll-over time?

Thanks for any advise.


"Siôn Lloyd"  schreef in bericht news:5331818C.6010301 at nominet.org.uk...

On 25/03/14 13:06, Fred.Zwarts. wrote:
> We are running ODS 1.4.3 for some weeks now. We have some zones for
> which we use policies with shared keys. It has been running well. I
> have seen a few zones that performed a ZSK roll-over at the wschedules
> times. But now I discovered a zone for which the active ZSK has a
> transition time a few days in the past. It looks as if it did not roll
> over in time.
> Each night, ODS is stopped in order to make a consistent backup of its
> state and started afterwards again with "ods-control stop/start",
> resp., but this does not trigger a roll-over for transition times in
> the past.
> Is there a good explanation for this behaviour, or is it a bug?
>

Hi Fred,

Is there a replacement key published in the zone? If so what state is it in?

Are there any log messages to do with that zone that might give a clue
as to what is happening?

Stopping and starting the enforcer should be fine, assuming it starts
back up properly of course (log messages should indicate if it failed to
restart).

Sion

More information about the Opendnssec-user mailing list