> 1) A bug in the enforcer where it outputs the wrong signconf. Please
> check the entry for the 63b58e329df2a6bfa09671425146b72d key in the
> signconf. it should have a element.
Oops. That should be a element for key
63b58e329df2a6bfa09671425146b72d.
The (meaning use it for signing as ZSK) sh
Hi Fred,
We are currently in the process of finding out why the retired ZSK after
the migration gets unpublished to fast. It seems an issue in the
migration script. Working on it.
This issue seems unrelated. Judging from the output the old ZSK DNSKEY
is still being published in the DNSKEY set. At
Sorry, I forgot the database. See attachment.
kasp.db
Description: Binary data
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> I forced another ZSK roll-over on our test system and the same problem
> popped up.
> There are now two retiring ZSKs and one ready ZSK, but no active ZSK.
> In the zone file, many records are still signed with the retiring ZSK.
> However, this ZSK itself is no longer in the signed zone file.
To
> I am a bit confused about your reply. Does it refer to my first
> question, in an earlier mail, about the refusal of the signer to sign
> the zone because of the serial?
Oh yes sorry, I replied to the wrong thread.
>
>
> Could it be that this problem was also caused by a migration problem, or
I forced another ZSK roll-over on our test system and the same problem
popped up.
There are now two retiring ZSKs and one ready ZSK, but no active ZSK.
In the zone file, many records are still signed with the retiring ZSK.
However, this ZSK itself is no longer in the signed zone file.
Could it
Hi Simon,
> I am working with DNSSEC 2.0.1 and have the problem that
>
> ods-signer sign --all
>
> does not schedule immediate resigning of all zones but does so only with
> a delay of 10 min. In the previous version 1.4 I was using this happened
> immediately.
There should be no difference
Hi Yuri,
I have been a few days away, so I read your message now.
I am a bit confused about your reply. Does it refer to my first question, in
an earlier mail, about the refusal of the signer to sign the zone because of
the serial?
This was indeed solved with "ods-enforcer policy import".
How