[Opendnssec-user] ods-enforcerd in error loop required manual ods-ksmutil hacking to get unstuck :(

Paul Wouters paul at nohats.ca
Tue Sep 23 16:19:19 CEST 2014

On Tue, 23 Sep 2014, Matthijs Mekking wrote:

>> And for unknown reasons it is now only creating a single RRSIG record
>> for the DNSKEY set (by the KSK) and none of the RRSIG records by the
>> ZSK, turning these 4 zones into bogus :(
>> Deleting all files in /var/opendnssec/tmp/ and /var/opendnssec/signed/
>> and even /var/opendnssec/signconf/ and running ods-ksmutil update all
>> did not resolve this issue:
> If you need such recovery, you also want to restart the signer after removing 
> these files, as the data is now retained in memory.

That was done. It just choked in the missing ZSK spare key, and therefor
didn't sign any data with the ZSK, and the "signed" zone had no ZSK
based RRSIG's.


More information about the Opendnssec-user mailing list