I'm experiencing the same problem (bug, I guess) that Volker Janzen
mentioned a couple weeks ago. I manually added some keys as
suggested by Matthijs, yet the problem persists:
signer# ods-hsmutil list
Listing keys in all repositories.
98 keys found.
RepositoryID
On Jul 2, 2010, at 5:27 AM, Volker Janzen wrote:
Hi all,
when I add a new zone to my DNS server, I'm always a bit confused
about
the correct workflow. In the docs under "Adding/Removing zones" I just
find a call of "ods-ksmutil zone add --zone example.com". This call
works
fine and adds
> So my original comment is still valid. You cannot remove individual
> keys from KASP database.
Ok, so the Enforcer does not remove the keys from its database when the zone is
removed.
>>> - Algorithm rollover is missing? And it's not in the roadmap yet?
>>
>> It is planned for 1.3, but the r
Hey Ondrej,
> Because when I just remove the keys with ods-hsmutil:
>
> # ods-ksmutil zone delete -z foobar.cz
> # ods-hsmutil remove 99cfd17644c8987f8ea709feb3c6e09ee26b12eb54e4dbd50768733d
> Key remove successful.
> # ods-hsmutil remove a34f6f2cc51c5ee968cd4e1508fd90e1198f4c5a11e2796c30de592a
>
On Fri, Jul 2, 2010 at 09:17, Rickard Bellgrim wrote:
>
> On 25 jun 2010, at 11.41, Ondřej Surý wrote:
>
>> - No way how to get rid of a imported key or change a state of already
>> imported key
>
> Once the key is imported, it is supposed that the enforcer updated the state.
Yes, but suppose you
Hi all,
when I add a new zone to my DNS server, I'm always a bit confused about
the correct workflow. In the docs under "Adding/Removing zones" I just
find a call of "ods-ksmutil zone add --zone example.com". This call works
fine and adds the configuration. But the zone is not signed within
minute
Hi,
I think I was able to find the root cause for this type failure. I was
not able to reproduce exact error, but it seems that signer is working
little different with Key database than enforcer.
See this output:
# ods-ksmutil key list -z udp53.cz --verbose
SQLite database set to: /var/lib/opend
>> - I was able to create such a mess in the keys for udp53.cz, that I
>> had to disable auditor :)
>
> We should have a look on this.
Sorry - I forgot to say that I have been in contact with Ondrej off-list.
Unfortunately, the original signed file has been lost, so it is impossible to
be cert
On 25 jun 2010, at 11.41, Ondřej Surý wrote:
> - No way how to get rid of a imported key or change a state of already
> imported key
Once the key is imported, it is supposed that the enforcer updated the state.
> - If I delete zone and re-add it later, the keys are lost, but you
> cannot re-imp
