[Opendnssec-user] Not enough keys to satisfy zsk policy for zone

Marc Richter marc.richter at de.verizon.com
Thu Dec 21 14:10:42 UTC 2017


Hi,

> Hoda noticed this:
> 
>> ods-enforcerd: [ID 630891 local0.info] NOTE: keys generated in repository
>> SoftHSM will not become active until they have been backed up
> 
> We think you have <RequireBackup/> in your conf but did not indicate to
> OpenDNSSEC that you actually backed them up. Therefore it isn't allowed
> to use the keys.
> 
> So try backing up your keys or stop requiring it.

I don't think this is the issue. We are doing a key backup multiple times
per day using "ods-ksmutil backup prepare" as the first step and
"ods-ksmutil backup commit" as the last step of the process.

So a key that was freshly generated should become active shortly after that.

I also just did this manually and no keys were marked during prepare or commit:

# ods-ksmutil backup prepare
There were no keys to mark

# ods-ksmutil backup commit
There were no keys to mark

Regards
Marc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171221/fcd66418/attachment.bin>


More information about the Opendnssec-user mailing list