[Opendnssec-user] termination of obs2 DelegationSignerSubmitCommand input stream missing?

PGNet Dev pgnet.dev at gmail.com
Mon Dec 19 22:22:56 UTC 2016 

On 12/19/2016 01:59 PM, Yuri Schaeffer wrote:
>> I suspect it's waiting for termination.
> 
> At this point I haven't looked in to it yet but judging from your mail
> I'd say the script simply isn't called yet. It takes some time for the
> zone to be ready to introduce the DS records. Only when it is it will
> call the script.
> 
> Try "ods-enforcer key list". If the state of the KSK isn't 'waiting for
> ds-seen' the DS record is simply not submitted.

that shows that it IS ...

	/usr/local/opendnssec/sbin/ods-enforcer key list --verbose
		Keys:
		Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
		example.info                    KSK      ready     waiting for ds-seen      2048  8          690c90a78f1ba38fcbf76f248a4fe47e SoftHSM     56995
		example.info                    ZSK      active    2016-12-19 17:25:55      1024  8          0c60caf105ce9edef9048b19eed84db9 SoftHSM     6126

reading,

	https://www.opendnssec.org/documentation/using-opendnssec/

suggests exec'ing

	/usr/local/opendnssec/sbin/ods-ksmutil key ds-seen -z example.info -x 56995

but

	ls /usr/local/opendnssec/sbin/ods-ksmutil
		ls: cannot access '/usr/local/opendnssec/sbin/ods-ksmutil': No such file or directory
	find /usr/local/opendnssec/ | grep ksm
		(empty)

this

	https://wiki.opendnssec.org/display/DOCS20/conf.xml

refers to

	ods-ksmutil

@ src, 

	cat NEWS
		...
		* OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen'
		  command so the user can choose not to notify the enforcer.
		...

after a bit of digging, seems !ods-ksmutil, but ods-enforcer is to be used (would be helpful if DOCS reflected that)

	/usr/local/opendnssec/sbin/ods-enforcer key ds-seen -z example.info -x 56995
		1 KSK matches found.
		1 KSKs changed.

now,

	/usr/local/opendnssec/sbin/ods-enforcer key list --verbose
		Keys:
		Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
		example.info                    KSK      active    2016-12-19 17:25:55      2048  8          690c90a78f1ba38fcbf76f248a4fe47e SoftHSM     56995
		example.info                    ZSK      active    2016-12-19 17:25:55      1024  8          0c60caf105ce9edef9048b19eed84db9 SoftHSM     6126

So a state change, but still no email sent.

Is there another step, or different action, needed?

More information about the Opendnssec-user mailing list