[Opendnssec-user] Expected behavior when changing zone policy and problem with key generation

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Jul 28 09:53:14 UTC 2015

Hash: SHA1

On 28-07-15 11:12, Sebastian Wiesinger wrote:
> * Yuri Schaeffer <yuri at nlnetlabs.nl> [2015-07-28 11:06]:
>>>> OpenDNSSEC pre-generates keys for later use. Likely a
>>>> formerly generated but unused key was still available.
>>> But the keylist was empty (there are no other zones in the
>>> zonelist at the moment) and the zone was not signed at all.
>> Key list will only show keys that are in use by being assigned to
>> a zone
> Okay but still these "hidden" keys were not used to sign the
> zone... how can I force the zone to be signed (either with a new
> key or with one of the "hidden" available keys). In that regards,
> it tells me that no keys are available which is kind of
> missleading:
> Not enough keys to satisfy zsk policy for zone: dnssec-test.intern.
> keys_to_allocate(1) = keys_needed(1) - (keys_available(0) -
> keys_pending_retirement(0)) Jul 27 16:34:36 alita ods-enforcerd:
> Tried to allocate 1 keys, failed on allocating key number 1

Ah, I missed that part in your log output. Not sure what happened
here. My best guess is some conflicting state in the database after
changing policies for your zone. Switching policies is not something
we can currently do. A more in depth answer would involve even more
hand waiving.

Version: GnuPG v2


More information about the Opendnssec-user mailing list