Hi, I have a lot of KSK rollover coming this summer, and as I upgraded to 1.2.1 recently, I wanted to try to do a manual rollover first, on a zone I don't really care about, to see if something changed from the 1.0 or 1.1 I used last summer.
So, I did : $ ods-ksmutil key rollover --zone ZONE --keytype KSK That kicked the enforcer, after a while it did regenerate the signconf file for that zone. I waited a few hours for the signer to kick in, but the new KSK was not there, a night passed, and the new KSK was still not there. After a few commands with ods-signer, I managed to crash the signerd, at first, I did not understand how I did it, but now, you can reproduce it easily with : ods-signer queue | head (I have 104 zones in there, so it still had things to write and it appears it did not like not being able to write them.) I restarted the signer and it picked up the new key, so, I guessed it must have had a cache somewhere. I found out that the signer had a, "update" command, so, I tried another zone, and after the enforcer generated the new signconf, I did : ods-signer update ZONE That kicked the signer and it picked up the new key. I don't really understand why the enforcer doesn't kick the signer as I guess it should. -- Mathieu Arnold _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
