[Opendnssec-user] key export in ods 2.0.1

Fred.Zwarts F.Zwarts at KVI.nl
Wed Aug 10 09:35:54 UTC 2016 

So, to get the export the --keystate option of ods-enforcer must be used. I 
could not find in the documentation how the different keystates can be 
specified. I see that "retire" and "active" are accepted, but "ds-seen", or 
"waiting for ds-seen" result in "unknown keystate, Error parsing arguments". 
Where can I find a list of acceptable keystates?

Fred.Zwarts.

"Fred.Zwarts"  schreef in bericht news:noem06$4sl$1 at blaine.gmane.org...

# ods-enforcer key list --zone KVI.nl
Keys:
Zone:                           Keytype: State:    Date of next transition:
KVI.nl                          KSK      retire    2016-08-12 16:33:10
KVI.nl                          ZSK      active    2016-08-12 16:33:10
KVI.nl                          ZSK      ready     2016-08-12 16:33:10
KVI.nl                          KSK      active    2016-08-12 16:33:10
key list completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl -t KSK
key export completed in 0 seconds.
# ods-enforcer key export --zone KVI.nl --keystate active
KVI.nl. 3600    IN      DNSKEY  257 3 8
AwEAAcVFSs7AaspVxBjZSX8WP6nsIBcSwxM4JW3ZCmxCE9J3RIe9iujl2T0UT9oPqyLC8gI42Pbg0bLJweEjJXGFnA2NDDmUq4mcdflg0s8S2R36eX7uaK22lmv/n6etgRv5haoeEQOn+2tbb5+JUzty/NS+HoPNGf0zzPewkkZg+1gKmW+lgBnWw4thMPwcGsDz8b0vUpneOPiKlA5jx0EBmKLcSh3S5RBmgSMxFdn+gIAsoFw96fJcimF74a9acf9Z19WnPOOJ3nIsp7dMpwEiWqOlEgoPPxgGIZKwF6b5kZ/uPrSsbHHDOIVv4k6gkSmqaLV8HNqTxXpl1svPNtUOzqE=
;{id = 38854 (ksk), size = 2048b}
key export completed in 0 seconds.
#

So, adding "-t KSK" did not help, but adding "--keystate active" did.
Apparently, the default is not ready and active, but "waiting for ds-seen"?

Fred.Zwarts.

"Yuri Schaeffer"  schreef in bericht
news:7be600ce-153f-7c42-046e-5c4ce5ad5c2b at nlnetlabs.nl...

Hi Fred,

On 09-08-16 17:14, Fred.Zwarts wrote:
> There are active and ready keys:
>
> # ods-enforcer key list --zone KVI.nl
> Keys:
> Zone:                           Keytype: State:    Date of next 
> transition:
> KVI.nl                          KSK      retire    2016-08-12 16:33:10
> KVI.nl                          ZSK      active    2016-08-12 16:33:10
> KVI.nl                          ZSK      ready     2016-08-12 16:33:10
> KVI.nl                          KSK      active    2016-08-12 16:33:10
> key list completed in 0 seconds.
> # ods-enforcer key export --zone KVI.nl
> key export completed in 0 seconds.

I'll rephrase Hoda's words to make it a bit more accurate: key export
prints the keys that need to be submitted to the parent zone and are not
ds-seen yet. So if it would say "waiting for ds-seen" your key export
would also show you the DNSKEY record.

try:
ods-enforcer key export --zone KVI.nl -t KSK

//Yuri

More information about the Opendnssec-user mailing list