Hi Klaus, yes, I notified the enforcer with the command: ods-ksmutil notify
After I issued ods-ksmutil key list --verbose there is still only one KSK two days before the KSK retires. Regards Christoph -----Ursprüngliche Nachricht----- Von: Klaus Darilion [mailto:[email protected]] Gesendet: Dienstag, 15. Juli 2014 16:38 An: Malin Christoph; [email protected] Betreff: Re: [Opendnssec-user] KSK rollover not working in time On 15.07.2014 16:26, [email protected] wrote: > Hi, > > > > I'm playing around with opendnssec. I added a zone to openddnssec and > it was signed. > > Then I changed the date of the Server to (12.07.2015) a few dates > before the KSK retires. > > > > In the log file: > > Rollover of KSK expected at 2015-07-15 18:20:53 for vtg.at > > > > Also when I print the current keys: > > vtg.at KSK active 2015-07-15 > 18:20:53 (retire) Have you manually run the enforcer? AFAIK the enforcer is run only once an hour and it may have not run after you have updated the local time. regards Klaus > > > > Then I changed the date to 2015-07-16. Suddenly a second KSK was here. > > vtg.at KSK ready waiting for > ds-seen (active) 2048 > > > > Why was the key not generated before the retire? I want that the key > gets generated 10 days before he expires. > > Otherwise the chain of trust is broken. > > > > Can anybody help me? > > > > Best regards, > > Christoph > > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
