[Opendnssec-user] KSK rollover gone wrong
Erwan David
erwan at rail.eu.org
Fri Nov 2 18:41:04 UTC 2018
Hi, it is my first KSK rollover with opendnssec 2.x (2.1.3)
As DelegationSignerSubmitCommand I have a script which sends me the new
DNSKEY record.
So now I have following state :
root at ns:~ # ods-enforcer key list -v
Keys:
Zone: Keytype: State: Date of next
transition: Size: Algorithm: CKA_ID:
Repository: KeyTag:
rail.eu.org KSK retire waiting for
ds-gone 2048 8 b656abe183f04bb79532cef7e560f385
SoftHSM 60025
rail.eu.org ZSK retire 2018-11-10
06:40:45 1024 8 3be292fdeffa05c2fb7094aad65bdc9f
SoftHSM 58794
rail.eu.org ZSK ready 2018-11-10
06:40:45 1024 8 06f37e2866ef467c02b1f14aa7835dc8
SoftHSM 33120
rail.eu.org KSK ready waiting for
ds-seen 2048 8 27511d0b7ff7ca21510317ad95be546a
SoftHSM 43375
So following the doc I issued the following
root at ns:~ # ods-enforcer key ds-submit -z rail.eu.org -x 43375
0 KSK matches found.
0 KSKs changed.
And DNSKEY 43375 is not in the signed zone (only 60025 for KSK).
My registrars checks I publish the DNSKEY record before publishing the
DS thus I cannot add it.
What should I do in this situation ?
Thanks.
More information about the Opendnssec-user
mailing list