[Opendnssec-user] key export in ods 2.0.1
Fred.Zwarts
F.Zwarts at KVI.nl
Wed Aug 10 07:44:09 UTC 2016
# ods-enforcer key list --zone KVI.nl
Keys:
Zone: Keytype: State: Date of next transition:
KVI.nl KSK retire 2016-08-12 16:33:10
KVI.nl ZSK active 2016-08-12 16:33:10
KVI.nl ZSK ready 2016-08-12 16:33:10
KVI.nl KSK active 2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl -t KSK
key export completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl --keystate active
KVI.nl. 3600 IN DNSKEY 257 3 8
AwEAAcVFSs7AaspVxBjZSX8WP6nsIBcSwxM4JW3ZCmxCE9J3RIe9iujl2T0UT9oPqyLC8gI42Pbg0bLJweEjJXGFnA2NDDmUq4mcdflg0s8S2R36eX7uaK22lmv/n6etgRv5haoeEQOn+2tbb5+JUzty/NS+HoPNGf0zzPewkkZg+1gKmW+lgBnWw4thMPwcGsDz8b0vUpneOPiKlA5jx0EBmKLcSh3S5RBmgSMxFdn+gIAsoFw96fJcimF74a9acf9Z19WnPOOJ3nIsp7dMpwEiWqOlEgoPPxgGIZKwF6b5kZ/uPrSsbHHDOIVv4k6gkSmqaLV8HNqTxXpl1svPNtUOzqE=
;{id = 38854 (ksk), size = 2048b}
key export completed in 0 seconds.
#
So, adding "-t KSK" did not help, but adding "--keystate active" did.
Apparently, the default is not ready and active, but "waiting for ds-seen"?
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:7be600ce-153f-7c42-046e-5c4ce5ad5c2b at nlnetlabs.nl...
Hi Fred,
On 09-08-16 17:14, Fred.Zwarts wrote:
> There are active and ready keys:
>
> # ods-enforcer key list --zone KVI.nl
> Keys:
> Zone: Keytype: State: Date of next
> transition:
> KVI.nl KSK retire 2016-08-12 16:33:10
> KVI.nl ZSK active 2016-08-12 16:33:10
> KVI.nl ZSK ready 2016-08-12 16:33:10
> KVI.nl KSK active 2016-08-12 16:33:10
> key list completed in 0 seconds.
> # ods-enforcer key export --zone KVI.nl
> key export completed in 0 seconds.
I'll rephrase Hoda's words to make it a bit more accurate: key export
prints the keys that need to be submitted to the parent zone and are not
ds-seen yet. So if it would say "waiting for ds-seen" your key export
would also show you the DNSKEY record.
try:
ods-enforcer key export --zone KVI.nl -t KSK
//Yuri
More information about the Opendnssec-user
mailing list