Hi all,
Bellow is from my test server and the status of keys make me puzzled, it's Jul
12 now ,and the key tagged 38478 whose retire date is 2012-07-09 is still
active, and the new ZSK's still ready.
Should I do a key rollover by "ods-ksmutil keyrollover -z example --keytype
ZSK" manually? Isn't it automatic?
[root@CST-BJ-104:202.173.9.19 :~]$ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next transition
(to): Size: Algorithm: CKA_ID: Repository:
Keytag:
example KSK active 2013-07-05 20:48:04
(retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM
3224
example ZSK active 2012-07-09 21:48:58
(retire) 1024 8 183fa4c0dfcfc41644b83565e228d74d SoftHSM
38478
example ZSK ready next rollover
(active) 1024 8 149877dc0a7382a80936977b36b4f53e SoftHSM
24096
[root@CST-BJ-104:202.173.9.19 :~]$date
Thu Jul 12 10:18:50 CST 2012
After I ran the rollover command manually,the key status changed:
[root@CST-BJ-104:202.173.9.19 :~]$ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next transition
(to): Size: Algorithm: CKA_ID: Repository:
Keytag:
example KSK active 2013-07-05 20:48:04
(retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM
3224
example ZSK retire 2012-07-12 11:39:47
(dead) 1024 8 183fa4c0dfcfc41644b83565e228d74d SoftHSM
38478
example ZSK active 2012-07-12 14:28:47
(retire) 1024 8 149877dc0a7382a80936977b36b4f53e SoftHSM
24096
I made <RequireBackup> valid in conf.xml, maybe I did not backup the new ZSK
with command so the automatic did not work properly. So do I have to monitor
the newly auto-created key and make it backup in order not to disturb the
regular key rollover?
Best regards,
Stuart_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
