[Opendnssec-user] Not enough keys to satisfy zsk policy for zone

Hoda Rohani hoda at nlnetlabs.nl
Tue Dec 19 13:35:54 UTC 2017 

Hello Marc,

This fix is in our software and there is no other way to solve it without migrating to 1.4.14.

1.4.14 contains some fixes for some minor issues as well. Migrating from 1.4.10 to 1.4.14 is very trivial. There is no
change in database.

Regards,
Hoda


On 19-12-17 13:15, Marc Richter wrote:
> Hi Hoda,
> 
> is there a way to fix that even with the current version ?
> That would allow a proper upgrade planning instead of doing this now in a rush.
> 
> Regards
> Marc
> 
> On 12/19/17 12:11, Hoda Rohani wrote:
>> Hello Marc,
>>
>> I would recommend to upgrade your opendnssec.
>> We saw similar bugs before and fixed them in 1.4.14. There was a miscalculation in getting the right number of required
>> keys.
>>
>> Please let us know if you still see those messages after upgrading.
>>
>> Regards,
>> Hoda
>>
>>
>> On 19-12-17 12:16, Marc Richter wrote:
>>> Hi,
>>>
>>> we are getting the following errors in our logs (zonename replaced with
>>> <zone>):
>>>
>>> ods-enforcerd: [ID 992331 local0.warning] Not enough keys to satisfy zsk
>>> policy for zone: <zone>. keys_to_allocate(1) = keys_needed(2) -
>>> (keys_available(2) - keys_pending_retirement(1))
>>>
>>> ods-enforcerd: [ID 115111 local0.warning] Tried to allocate 1 keys, failed
>>> on allocating key number 1
>>>
>>> ods-enforcerd: [ID 482275 local0.warning] ods-enforcerd will create some
>>> more keys on its next run
>>>
>>> ods-enforcerd: [ID 363081 local0.error] Error allocating zsks to zone <zone>
>>>
>>>
>>> According to
>>>
>>> 	https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opendnssec.org_display_DOCS_Troubleshooting&d=DwIC-g&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=wDgZv-d1RrBMzWr_7pSF_09ZAXIr59EgoXQU4ctOHMk&m=mKI6YLd07oL68W0Uhj30N_PrFQT1h-999YDxiqHNv2M&s=DK0eg6GmdauHR_8RwJZtzemEEgDtM2u6rMEEfsd9uyI&e=
>>>
>>> as well as the error message, ods-enforcerd should create new keys on its
>>> next run. However, that doesn't seem to happen as the messages are
>>> repeating every time ods-enforcerd is running.
>>>
>>> ManualKeyGeneration is not set.
>>>
>>> This is  opendnssec version 1.4.10
>>>
>>> How do I fix this ?
>>>
>>> Regards
>>> Marc
>>>
>>>
>>>
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendnssec.org_mailman_listinfo_opendnssec-2Duser&d=DwIC-g&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=wDgZv-d1RrBMzWr_7pSF_09ZAXIr59EgoXQU4ctOHMk&m=mKI6YLd07oL68W0Uhj30N_PrFQT1h-999YDxiqHNv2M&s=YBLPkwcnP77lIvJQpsyVEXt9X3llX1ohP3PQBr8aJ-c&e=
>>>
>

More information about the Opendnssec-user mailing list