After fixing the permissions for key creation I get the following: ods-enforcerd: 1 zone(s) found on policy "default" ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(1) - keys_available(0). ods-enforcerd: Created key in repository thales ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 994410881c1e66e2d075ed1ed1756679 in repository: thales and database. ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(1) - keys_available(0). ods-enforcerd: Created key in repository thales ods-enforcerd: Created ZSK size: 1024, alg: 8 with id: fdda444308e69eeabc46e1958a12d512 in repository: thales and database. ... ods-enforcerd: ZSK key allocation for zone <zone>: 1 key(s) allocated ods-enforcerd: KSK key allocation for zone <zone>: 1 key(s) allocated
But then:
ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not
found
ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating
dnskey
ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys
(General error)
But:
ods-ksmutil key list --verbose
Zone: Keytype: State: Date of next transition
(to): Size: Algorithm: CKA_ID: Repository:
Keytag:
<zone> KSK publish 2014-06-10 02:17:13
(ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales
15664
Is this because the key is not active? is this a bug?
Also get this:
ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there
are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
Any help is appreciated.
Regards
—
David Peall
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
