What does the signconf file for nohats.ca and the other zone look like?
Matthijs
On Mon, 4 Jun 2012, Paul Wouters wrote:
On Mon, 4 Jun 2012, Siôn Lloyd wrote:
But you're telling me I need to switch to manual dnssec-signzone/bind
for now to downgrade? There is no manual mode working for opendnssec
at all?
Not currently for algorithm rollover... That is scheduled for version 2 of
the enforcer.
It got worse. I tried deleting the zones and re-adding them with the new
policy, and unrelated zones started getting mangled. The nohats.ca domain
(which was not deleted) ended up with NSEC3 records and 0 RRSIGs. One
other zone ended up with only 1 RRSIG over the DNSKEY RRset in the zone.
I had to remove the DLV record for nohats.ca as I could not get
opendnssec to sign it properly whatsoever. Even stopping all daemons
and removing all signed zones and all tmp/signconf files and
running ods-ksmutil update all did not cause it to start signing
again. I upgraded from 1.4.0a1 to 1.4.0a2 but it made no difference.
Now 8 hours later, the nohats.ca has 1 RRSIG over the DNSKEY set, and
no other RRSIGs.....
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
