[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Fred.Zwarts F.Zwarts at KVI.nl
Thu Sep 22 07:09:51 UTC 2016

Hi Yuri,

I have been a few days away, so I read your message now.

I am a bit confused about your reply. Does it refer to my first question, in 
an earlier mail, about the refusal of the signer to sign the zone because of 
the serial?
This was indeed solved with "ods-enforcer policy import".
However, a few days later we got this new problem with a ZSK roll-over, 
where ods 2.0.1 completely ruined the zone. No active ZSK was left. The 
retiring keys were not in the signed zone, but most of the records were 
still signed with the retiring keys. Some more "ods-enforcer policy import" 
did not help (of course). Only a few records were signed with the ready ZSK, 
which was also in the zone. Only those records could be used with DNSsec 
Finally, my collegue deleted the zone from the database.
So, I am not able to send you any other information.

Could it be that this problem was also caused by a migration problem, or is 
it something else?


"Yuri Schaeffer"  schreef in bericht 
news:0bc2193f-292a-4952-5791-92ec713bcd6e at nlnetlabs.nl...

Hi Fred,

My colleague Hoda found the error. The SOA serial strategy is numbered
differently between 1.4 and 2.0. This is actually a problem with the
migration script not taking this in to account.

What should solve your issue is running

ods-enforcer policy import

Your kasp.xml will be reread and any differences applied.

Alternatively you could do it manually in your database (assuming
default policy):

UPDATE policy SET zoneSoaSerial=1 WHERE name = 'default';

I expect that field in your database to be 3. Which was 'datacounter' in
1.4. But maps to 'keep' in 2.0.

For us left to do is update the migration script.


Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list