[Opendnssec-user] termination of obs2 DelegationSignerSubmitCommand input stream missing?

Yuri Schaeffer yuri at nlnetlabs.nl
Wed Dec 21 10:12:42 UTC 2016

> after a bit of digging, seems !ods-ksmutil, but ods-enforcer is to be used (would be helpful if DOCS reflected that)

Whoops, I'll update the 2.0 documentation. There where multiple
erroneous mentions of ods-ksmutil.

> 	/usr/local/opendnssec/sbin/ods-enforcer key ds-seen -z example.info -x 56995
> 		1 KSK matches found.
> 		1 KSKs changed.
> now,
> 	/usr/local/opendnssec/sbin/ods-enforcer key list --verbose
> 		Keys:
> 		Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
> 		example.info                    KSK      active    2016-12-19 17:25:55      2048  8          690c90a78f1ba38fcbf76f248a4fe47e SoftHSM     56995
> 		example.info                    ZSK      active    2016-12-19 17:25:55      1024  8          0c60caf105ce9edef9048b19eed84db9 SoftHSM     6126
> So a state change, but still no email sent.
> Is there another step, or different action, needed?

The email should have been sent at an earlier stage. Internally DS
records have these states:

* unsubmitted
* submit
* submitted (waiting for ds-seen)
* seen
* retract
* retracted

The transition between submit and submitted should go automatically when
you have a DelegationSignerSubmitCommand specified. Like you have.

In case the enforcer logged an error it should prepend it with
'keystate_ds_x_cmd'. So please grep your logs for that.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161221/d130c4df/attachment.bin>

More information about the Opendnssec-user mailing list