[Opendnssec-user] Expected behavior when changing zone policy and problem with key generation
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Jul 28 09:53:14 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28-07-15 11:12, Sebastian Wiesinger wrote:
> * Yuri Schaeffer <yuri at nlnetlabs.nl> [2015-07-28 11:06]:
>>>> OpenDNSSEC pre-generates keys for later use. Likely a
>>>> formerly generated but unused key was still available.
>>>
>>> But the keylist was empty (there are no other zones in the
>>> zonelist at the moment) and the zone was not signed at all.
>>
>> Key list will only show keys that are in use by being assigned to
>> a zone
>
> Okay but still these "hidden" keys were not used to sign the
> zone... how can I force the zone to be signed (either with a new
> key or with one of the "hidden" available keys). In that regards,
> it tells me that no keys are available which is kind of
> missleading:
>
> Not enough keys to satisfy zsk policy for zone: dnssec-test.intern.
> keys_to_allocate(1) = keys_needed(1) - (keys_available(0) -
> keys_pending_retirement(0)) Jul 27 16:34:36 alita ods-enforcerd:
> Tried to allocate 1 keys, failed on allocating key number 1
Ah, I missed that part in your log output. Not sure what happened
here. My best guess is some conflicting state in the database after
changing policies for your zone. Switching policies is not something
we can currently do. A more in depth answer would involve even more
hand waiving.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlW3UQoACgkQI3PTR4mhavgT1ACgw2lXbN7Iik3FEFNFhsZu/2L6
R9AAoLf4BhjdzADiWxcpbOcPYBlvOlL7
=zteN
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list