On Mon, 4 Jun 2012, Paul Wouters wrote:
What does the signconf file for nohats.ca and the other zone look like?
Attached the nohats.ca one. The zone is stock default, eg:
It seems the signer has recovered by itself, and all nohats.ca records
now have an RRSIG. The same for the other zone with 1 RRSIG. The key
status for nohats.ca is:
[root@nohats ]# ods-ksmutil key list --verbose|grep nohats.ca
SQLite database set to: /var/opendnssec/kasp.db
nohats.ca KSK active 2012-12-15 13:56:52
(retire) 2048 8 095e4736b9eb593b2fe83f9aa876412d SoftHSM
48581
nohats.ca ZSK active 2012-07-04 13:08:36
(retire) 1024 8 1c3bfb14fed753656fbdc7ed77bcca7b SoftHSM
44754
I'm not sure if it rolled the ZSK, because I don't see a dead key.
The other zone that recovered was not rolled manually shows a key
rollover happened:
valleymedia.net KSK ready waiting for ds-seen
(active) 2048 8 675dfb0879d98c455f2da938a257e923 SoftHSM
15514
valleymedia.net ZSK retire 2012-06-14 02:28:08
(dead) 1024 8 0b59b6587492ee6ac585bd384cf766ab SoftHSM
47731
valleymedia.net ZSK active 2012-07-04 13:08:37
(retire) 1024 8 49da5b64be1a6b35a0ae80de94ef5924 SoftHSM
40224
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
