[Opendnssec-user] Expected behavior when changing zone policy and problem with key generation
Sebastian Wiesinger
sebastian at karotte.org
Tue Jul 28 09:12:30 UTC 2015
* Yuri Schaeffer <yuri at nlnetlabs.nl> [2015-07-28 11:06]:
> >> OpenDNSSEC pre-generates keys for later use. Likely a formerly
> >> generated but unused key was still available.
> >
> > But the keylist was empty (there are no other zones in the zonelist
> > at the moment) and the zone was not signed at all.
>
> Key list will only show keys that are in use by being assigned to a zone
Okay but still these "hidden" keys were not used to sign the zone...
how can I force the zone to be signed (either with a new key or with
one of the "hidden" available keys). In that regards, it tells me that
no keys are available which is kind of missleading:
Not enough keys to satisfy zsk policy for zone: dnssec-test.intern. keys_to_allocate(1) = keys_needed(1) - (keys_available(0) - keys_pending_retirement(0))
Jul 27 16:34:36 alita ods-enforcerd: Tried to allocate 1 keys, failed on allocating key number 1
Still can't wrap my head around what I was supposed to do to get the
zone signed.
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the Opendnssec-user
mailing list