[Opendnssec-user] ods 2.0.1 ZSK roll-over problem
Fred.Zwarts
F.Zwarts at KVI.nl
Thu Sep 22 07:09:51 UTC 2016
Hi Yuri,
I have been a few days away, so I read your message now.
I am a bit confused about your reply. Does it refer to my first question, in
an earlier mail, about the refusal of the signer to sign the zone because of
the serial?
This was indeed solved with "ods-enforcer policy import".
However, a few days later we got this new problem with a ZSK roll-over,
where ods 2.0.1 completely ruined the zone. No active ZSK was left. The
retiring keys were not in the signed zone, but most of the records were
still signed with the retiring keys. Some more "ods-enforcer policy import"
did not help (of course). Only a few records were signed with the ready ZSK,
which was also in the zone. Only those records could be used with DNSsec
verification.
Finally, my collegue deleted the zone from the database.
So, I am not able to send you any other information.
Could it be that this problem was also caused by a migration problem, or is
it something else?
Regards,
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:0bc2193f-292a-4952-5791-92ec713bcd6e at nlnetlabs.nl...
Hi Fred,
My colleague Hoda found the error. The SOA serial strategy is numbered
differently between 1.4 and 2.0. This is actually a problem with the
migration script not taking this in to account.
What should solve your issue is running
ods-enforcer policy import
Your kasp.xml will be reread and any differences applied.
Alternatively you could do it manually in your database (assuming
default policy):
UPDATE policy SET zoneSoaSerial=1 WHERE name = 'default';
I expect that field in your database to be 3. Which was 'datacounter' in
1.4. But maps to 'keep' in 2.0.
For us left to do is update the migration script.
Regards,
Yuri
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list