[Opendnssec-user] Not enough keys to satisfy zsk policy for zone
Yuri Schaeffer
yuri at nlnetlabs.nl
Wed Dec 20 09:10:20 UTC 2017
> is there a way to fix that even with the current version ?
What Hoda said, the upgrade is the fix.
However a workaround might be possible. If I remember correctly the
issue was that the enforcer during key generation would calculate the
wrong number of ZSKs. It only happens in the case where your KSK and ZSK
have the same key length. It would add the number of KSKs to the number
of ZSKs and concluded it has enough ZSKs and doesn't need to generate more.
A short term workaround:
use "ods-ksmutil key generate --period PERIOD" to generate more keys.
For PERIOD choose something bigger than the value from the conf. Say
twice. Make sure the lifetime of the ZSK is shorter than the KSK or
you'll probably hit the same problem.
Long term workaround:
Use a different key length for ZSK than KSK.
None of this is tested.
//Yuri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171220/15f5840b/attachment.bin>
More information about the Opendnssec-user
mailing list