[Opendnssec-user] Not enough keys to satisfy zsk policy for zone
Marc Richter
marc.richter at de.verizon.com
Wed Dec 20 12:42:50 UTC 2017
Hi Yuri, Hi Hoda,
>> is there a way to fix that even with the current version ?
>
> What Hoda said, the upgrade is the fix.
I have restored a backup of the database, SoftHSM and the signconf files
onto a development server that runs 1.4.10 as well.
I saw the same error messages when starting ODS on that development server,
so I could reproduce the issue.
I then shutdown ODS, upgraded to 1.4.14 and restarted ODS, but the error is
still reported.
So the upgrade did not fix the issue, apparently.
Do you have any advice what do check next ?
> A short term workaround:
> use "ods-ksmutil key generate --period PERIOD" to generate more keys.
> For PERIOD choose something bigger than the value from the conf. Say
> twice. Make sure the lifetime of the ZSK is shorter than the KSK or
> you'll probably hit the same problem.
I guess you mean "key generate --interval" instead of "key generate --period" ?
A --period switch does not seem to exist.
> Long term workaround:
> Use a different key length for ZSK than KSK.
We already do. KSK length is 2048, ZSK 1024.
Regards
Marc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171220/8c05d06f/attachment.bin>
More information about the Opendnssec-user
mailing list