Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

2016-09-22 Thread Yuri Schaeffer
> 1) A bug in the enforcer where it outputs the wrong signconf. Please > check the entry for the 63b58e329df2a6bfa09671425146b72d key in the > signconf. it should have a element. Oops. That should be a element for key 63b58e329df2a6bfa09671425146b72d. The (meaning use it for signing as ZSK) sh

Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

2016-09-22 Thread Yuri Schaeffer
Hi Fred, We are currently in the process of finding out why the retired ZSK after the migration gets unpublished to fast. It seems an issue in the migration script. Working on it. This issue seems unrelated. Judging from the output the old ZSK DNSKEY is still being published in the DNSKEY set. At

Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

2016-09-22 Thread Fred.Zwarts
Sorry, I forgot the database. See attachment. kasp.db Description: Binary data ___ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

2016-09-22 Thread Yuri Schaeffer
> I forced another ZSK roll-over on our test system and the same problem > popped up. > There are now two retiring ZSKs and one ready ZSK, but no active ZSK. > In the zone file, many records are still signed with the retiring ZSK. > However, this ZSK itself is no longer in the signed zone file. To

Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

2016-09-22 Thread Yuri Schaeffer
> I am a bit confused about your reply. Does it refer to my first > question, in an earlier mail, about the refusal of the signer to sign > the zone because of the serial? Oh yes sorry, I replied to the wrong thread. > > > Could it be that this problem was also caused by a migration problem, or

Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

2016-09-22 Thread Fred.Zwarts
I forced another ZSK roll-over on our test system and the same problem popped up. There are now two retiring ZSKs and one ready ZSK, but no active ZSK. In the zone file, many records are still signed with the retiring ZSK. However, this ZSK itself is no longer in the signed zone file. Could it

Re: [Opendnssec-user] Immediate Resigning of Zones

2016-09-22 Thread Yuri Schaeffer
Hi Simon, > I am working with DNSSEC 2.0.1 and have the problem that > > ods-signer sign --all > > does not schedule immediate resigning of all zones but does so only with > a delay of 10 min. In the previous version 1.4 I was using this happened > immediately. There should be no difference

Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

2016-09-22 Thread Fred.Zwarts
Hi Yuri, I have been a few days away, so I read your message now. I am a bit confused about your reply. Does it refer to my first question, in an earlier mail, about the refusal of the signer to sign the zone because of the serial? This was indeed solved with "ods-enforcer policy import". How