[Opendnssec-user] Error allocating ksks / zsks

Havard Eidnes he at uninett.no
Wed Feb 3 08:41:16 UTC 2016 

For the other zone, the 2.1.2.6.1.9.3.7.7.4.nrenum.net zone, I
tried another approach, namely I tried to initiate a manual key
rollover for both the ZSK and the KSK:

ods @ hugin: {22} ods-ksmutil key list --all --zone 2.1.2.6.1.9.3.7.7.4.nrenum.net
Keys:
Zone:                           Keytype:      State:    Date of next transition:
2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-12-09 23:42:31 
2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active    2016-01-06 00:25:00 

ods @ hugin: {23} ods-ksmutil key rollover --zone 2.1.2.6.1.9.3.7.7.4.nrenum.net -t zsk

Manual key rollover for key type zsk on zone 2.1.2.6.1.9.3.7.7.4.nrenum.net initiated
Notifying enforcer of new database...
ods @ hugin: {24} ods-ksmutil key list --all --zone 2.1.2.6.1.9.3.7.7.4.nrenum.net
Keys:
Zone:                           Keytype:      State:    Date of next transition:
2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-12-09 23:42:31 
2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active    2016-02-03 09:33:23 

ods @ hugin: {25} ods-ksmutil key rollover --zone 2.1.2.6.1.9.3.7.7.4.nrenum.net -t ksk

Manual key rollover for key type ksk on zone 2.1.2.6.1.9.3.7.7.4.nrenum.net initiated
Notifying enforcer of new database...
ods @ hugin: {26} ods-ksmutil key list --all --zone 2.1.2.6.1.9.3.7.7.4.nrenum.net
Keys:
Zone:                           Keytype:      State:    Date of next transition:
2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-02-03 09:34:38 
2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active    2016-02-03 09:33:23 

ods @ hugin: {27} 

Looking at the log I still see errors of this type:

Feb  3 09:35:00 hugin ods-enforcerd: Not enough keys to satisfy zsk policy for zone: 2.1.2.6.1.9.3.7.7.4.nrenum.net. keys_to_allocate(1) = keys_needed(1) - (keys_available(1) - keys_pending_retirement(1)) 
Feb  3 09:35:00 hugin ods-enforcerd: Tried to allocate 1 keys, failed on allocating key number 1
Feb  3 09:35:00 hugin ods-enforcerd: ods-enforcerd will create some more keys on its next run
Feb  3 09:35:00 hugin ods-enforcerd: Error allocating zsks to zone 2.1.2.6.1.9.3.7.7.4.nrenum.net

and similarly for the attempt at rolling the ZSK.

Bah!

Regards,

- Håvard

More information about the Opendnssec-user mailing list