[Opendnssec-user] Serial problem after rollover in 2.0.1

Fred.Zwarts F.Zwarts at KVI.nl
Fri Sep 16 09:32:28 UTC 2016

"Yuri Schaeffer"  schreef in bericht 
news:46da313f-2c47-92b1-8c3d-cc1af1ec6d65 at nlnetlabs.nl...
>Hi Fred,
>> The log message "If this is the result of a key rollover ..." suggests
>> (at least to me) that it is normal that a manual intervention is needed
>> during a roll-over, but we are not used to it.
>> Is this a bug, or is it the intended behavior?
>> Are there new options to be included in the configuration?
>I'm guessing you use 'keep' strategy[0] for the SOA. Then you are
>responsible to increment the serial yourself and the signer is unable to
>push out updates when that hasn't happened.
>The reason for the message is that the enforcer can have the signer
>notified that a resign needs to happen. (because a key rollover for
>example). But with this serial strategy the signer can't without a SOA
>So make sure your serial in the input zone is greater than 2016091511.
>But better would be to use 'datecounter' to let the signer manage the

We never had this problem with 1.4. From our /etc/opendnssec/kasp.xml:


The kasp.xml has not been touched since December 2015.
So, there must be something else. Could it be that the migration of the 
database changed it from datacounter to keep?
Should I update the configuration after the migration? 

More information about the Opendnssec-user mailing list