Hi Gilles, On 04-06-14 15:24, Gilles Massen wrote: > Hi, > >> Roughly: you should be able to run ods-signerd with a single run and a >> specific config file: >> >> 1. Create a new conf.xml, probably using some different file locations. >> 2. Make a signer configuration file signconf.xml for a zone, referencing >> the specific locator of the key. >> 3. Run 'ods-signerd -c conf.xml -1' (different cfg, single run) > > I try to get this to work, but have a few problems. So far I made a copy > of the setup, adapted conf.xml, stripped the zonelist.xml down to a > single zone and removed everything but a KSK and the possibly broken ZSK > from signconf/.xml.
> Note: the KSK was previously active, while the ZSK was retired. When the ZSK is retired, the signer will not create new signatures anymore. You should probably add the <ZSK/> flag in the <key> section. > > Now the signer does produce a zone, but signs only the DNSKEY RRset with > the KSK, and no other record. So the ZSK is not used (but the signer > does not complain, even with multiple -v). The signconf has no active ZSK configured, so the signer does not create ZSK signatures. > So what am I missing? Does the signer read the kasp.db? (I made the old > ZSK active in the kasp.db, just in case, but that does not seem to > help). What am I missing? The signer does not read kasp.db, it's an enforcer thingy. The signer gets its configuration from the signconf xml file. > BTW: is there a way to tell the signer where to put his PID? Just introduced in 1.3.17: <PidFile> :) (and soon to be in 1.4.6 too). Best regards, Matthijs > > best, > Gilles > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
