Hi All
As Mark has said logged in as the signer user we are able to list the “missing”
key.
<zone> KSK active 2015-06-10 15:19:39
(retire) 2048 8 994410881c1e66e2d075ed1ed1756679 thales
15664Anything else we can try look for? Regards — David Peall On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <s...@nominet.org.uk> wrote: > On 09/06/14 11:30, David Peall wrote: >> >> But then: >> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 >> not found >> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error >> creating dnskey >> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys >> (General error) >> >> But: >> ods-ksmutil key list --verbose >> Zone: Keytype: State: Date of next >> transition (to): Size: Algorithm: CKA_ID: >> Repository: Keytag: >> <zone> KSK publish 2014-06-10 02:17:13 >> (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales >> 15664 >> >> Is this because the key is not active? is this a bug? > Hi David, > > The state of the key is not causing this... Does the signer run as the > same user/group as the enforcer? > >> Also get this: >> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as >> there are no keys in the 'ready' state; ods-enforcerd will try again when it >> runs next >> > > This is just a warning that you have to wait for the KSK and signatures > to propagate before the key is considered "ACTIVE". The wording is not > ideal for the initial signing situation, but makes more sense when > describing subsequent rolls. > > Sion > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
