[Opendnssec-user] Not enough keys to satisfy zsk policy for zone

Marc Richter marc.richter at de.verizon.com
Tue Dec 19 12:15:40 UTC 2017


Hi Hoda,

is there a way to fix that even with the current version ?
That would allow a proper upgrade planning instead of doing this now in a rush.

Regards
Marc

On 12/19/17 12:11, Hoda Rohani wrote:
> Hello Marc,
> 
> I would recommend to upgrade your opendnssec.
> We saw similar bugs before and fixed them in 1.4.14. There was a miscalculation in getting the right number of required
> keys.
> 
> Please let us know if you still see those messages after upgrading.
> 
> Regards,
> Hoda
> 
> 
> On 19-12-17 12:16, Marc Richter wrote:
>> Hi,
>>
>> we are getting the following errors in our logs (zonename replaced with
>> <zone>):
>>
>> ods-enforcerd: [ID 992331 local0.warning] Not enough keys to satisfy zsk
>> policy for zone: <zone>. keys_to_allocate(1) = keys_needed(2) -
>> (keys_available(2) - keys_pending_retirement(1))
>>
>> ods-enforcerd: [ID 115111 local0.warning] Tried to allocate 1 keys, failed
>> on allocating key number 1
>>
>> ods-enforcerd: [ID 482275 local0.warning] ods-enforcerd will create some
>> more keys on its next run
>>
>> ods-enforcerd: [ID 363081 local0.error] Error allocating zsks to zone <zone>
>>
>>
>> According to
>>
>> 	https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opendnssec.org_display_DOCS_Troubleshooting&d=DwIC-g&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=wDgZv-d1RrBMzWr_7pSF_09ZAXIr59EgoXQU4ctOHMk&m=mKI6YLd07oL68W0Uhj30N_PrFQT1h-999YDxiqHNv2M&s=DK0eg6GmdauHR_8RwJZtzemEEgDtM2u6rMEEfsd9uyI&e=
>>
>> as well as the error message, ods-enforcerd should create new keys on its
>> next run. However, that doesn't seem to happen as the messages are
>> repeating every time ods-enforcerd is running.
>>
>> ManualKeyGeneration is not set.
>>
>> This is  opendnssec version 1.4.10
>>
>> How do I fix this ?
>>
>> Regards
>> Marc
>>
>>
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendnssec.org_mailman_listinfo_opendnssec-2Duser&d=DwIC-g&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=wDgZv-d1RrBMzWr_7pSF_09ZAXIr59EgoXQU4ctOHMk&m=mKI6YLd07oL68W0Uhj30N_PrFQT1h-999YDxiqHNv2M&s=YBLPkwcnP77lIvJQpsyVEXt9X3llX1ohP3PQBr8aJ-c&e=
>>

-- 
Marc Richter
Engr IV Cslt-Ntwk Eng&Ops | Server & Services Management International
Global Operations | Verizon Wireline Network

Sebrathweg 20
44149 Dortmund - Germany

O +49 231 972 1293
F +49 231 972 2587
E marc.richter at de.verizon.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171219/1b8fe1c8/attachment.bin>


More information about the Opendnssec-user mailing list