Hi, Still testing my setup, I wanted to rollover a reverse zone to see how it would work with the RIPE email system...
I've scratched my head for something like two hours wondering why : ods-ksmutil key rollover --zone 240.143.79.in-addr.arpa --keytype KSK was not doing anything... It was kicking the enforcer, but the enforcer did not do anything, and as the enforcer takes 15 minutes to go through the 104 zones configured, and that I can't issue any other command while it's working, it's been driving me mad... It turns out that when I started, the reverse zones were in my default policy, which uses NSEC3, and that sometime last year, I created an NSEC policy to go with them (who can't guess the content of a reverse zone...) and changed their policy to the new NSEC one. Now, in the database, it changed the zones' policy_id, but not the keypairs' policy_id. And it happens that ods-ksmutil searches by zone_id and policy_id that it got searching the zone name, and finds nothing, obviously. Now, I told myself, I'll stop the enforcer, update the dnsseckeys' retire field manually and start it again, it was a nice idea, but it did not work, the enforcer kept putting the old retire time back. I guess it checks with the zone_id and policy_id too. So, I went back to the database, and updated the keypairs' policy_id (and the dnsseckeys' retire while I was at it.) and there I was, the enforcer was nice enough to publish new KSK. I guess changing a zone's policy is not something that's done often, and I'm not sure of what should be done to it's keys when it happens, but, it would be nice to be able to have everything just work if it's the case. -- Mathieu Arnold _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
