On 23-09-14 16:19, Paul Wouters wrote:
On Tue, 23 Sep 2014, Matthijs Mekking wrote:
And for unknown reasons it is now only creating a single RRSIG record
for the DNSKEY set (by the KSK) and none of the RRSIG records by the
ZSK, turning these 4 zones into bogus :(
Deleting all files in /var/opendnssec/tmp/ and /var/opendnssec/signed/
and even /var/opendnssec/signconf/ and running ods-ksmutil update all
did not resolve this issue:
If you need such recovery, you also want to restart the signer after
removing these files, as the data is now retained in memory.
That was done. It just choked in the missing ZSK spare key, and therefor
didn't sign any data with the ZSK, and the "signed" zone had no ZSK
based RRSIG's.
What was in the signconf.xml? Because if the ZSK was not configured
there, the signer will happily sign the zone with just the KSK (if in
signconf.xml of course).
If the ZSK is in the signconf, but not in the HSM, the signer should barf.
- Matthijs
Paul
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
