[Opendnssec-user] Error allocating ksks / zsks
Havard Eidnes
he at uninett.no
Mon Feb 8 08:10:50 UTC 2016
>> so I worried that the key in the "generate" state for the
>> godegrep.no zone might mess things up (orphaned?), so it is now
>> history:
>
> This removal of the apparently orphaned key in "generate" state
> seems to have unwedged this one. [...]
...
> ods @ hugin: {29} ods-ksmutil key list --all --zone godegrep.no
> Keys:
> Zone: Keytype: State: Date of next transition:
> godegrep.no KSK active 2015-12-13 15:12:43
> godegrep.no ZSK dead to be deleted
> godegrep.no ZSK active 2016-01-07 04:30:48
> godegrep.no ZSK publish 2016-02-03 15:49:40
> godegrep.no KSK publish 2016-02-03 15:49:40
>
> ods @ hugin: {30}
So ... deleting the key stuck in "generate" state completed the
key rotation, but there still seems to be something odd with the
old keys, as the current state is:
ods @ hugin: {34} ods-ksmutil key list --all --zone godegrep.no
Keys:
Zone: Keytype: State: Date of next transition:
godegrep.no KSK dead to be deleted
godegrep.no ZSK dead to be deleted
godegrep.no ZSK retire 2016-02-25 05:55:10
godegrep.no ZSK active 2016-03-05 00:40:10
godegrep.no KSK active 2017-02-03 12:30:11
ods @ hugin: {35}
Why doesn't the enforcer actually delete the now-dead keys?
(I tried finding a way to comment on the OPENDNSSEC-752 issue via
the bug tracker, but didn't find a way to do that despite being
logged in, possibly because it's not "my" ticket.)
Regards,
- Håvard
More information about the Opendnssec-user
mailing list