[Opendnssec-user] DNSKEY record set not published in a new zone
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sat Nov 10 18:00:35 UTC 2018
I just added a new zone to an OpenDNSSEC installation which works for
several other zones.
I tried adding the new zone bot with zonelist.xml + ods-enforcer zone
import, and with ods-enforcer zone add. Same result in both cases.
The KSK stays in state "generate" (why?):
% sudo ods-enforcer key list --keystate generate --zone foo.example
Keys:
Zone: Keytype: State: Date of next transition:
foo.example KSK generate 2018-11-12 06:46:20
key list completed in 0 seconds.
The ZSK is in state publish:
% sudo ods-enforcer key list --zone foo.example
Keys:
Zone: Keytype: State: Date of next transition:
foo.example ZSK publish 2018-11-12 06:46:20
key list completed in 0 seconds.
But no DNSKEY at all is added in the signed zone. (There are RRSIGs,
and NSEC3.)
OpenDNSSEC 2.0.4
(Side note: when NSD loads a zone with no DNSKEY, it doesn't serve the
signatures at all.)
Key policy is:
<Keys>
<TTL>PT7200S</TTL>
<RetireSafety>PT7200S</RetireSafety>
<PublishSafety>PT7200S</PublishSafety>
<Purge>P14D</Purge>
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P3Y</Lifetime>
<Repository>SoftHSM</Repository>
<ManualRollover/>
</KSK>
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
More information about the Opendnssec-user
mailing list