You may try to stop the enforcer, and then run it manually only one time in debug mode:
ods-enforcerd -d -1 It also may be that the enforcer did not received the notify (IIRC they use sockets for interaction and there may be file permission issues),e.g. when enforcer and ksm-util are running as different users. regards Klaus On 15.07.2014 17:01, [email protected] wrote: > Hi Klaus, > > yes, I notified the enforcer with the command: ods-ksmutil notify > > After I issued ods-ksmutil key list --verbose there is still only one KSK two > days before the KSK retires. > > Regards > Christoph > > > -----Ursprüngliche Nachricht----- > Von: Klaus Darilion [mailto:[email protected]] > Gesendet: Dienstag, 15. Juli 2014 16:38 > An: Malin Christoph; [email protected] > Betreff: Re: [Opendnssec-user] KSK rollover not working in time > > > On 15.07.2014 16:26, [email protected] wrote: >> Hi, >> >> >> >> I'm playing around with opendnssec. I added a zone to openddnssec and >> it was signed. >> >> Then I changed the date of the Server to (12.07.2015) a few dates >> before the KSK retires. >> >> >> >> In the log file: >> >> Rollover of KSK expected at 2015-07-15 18:20:53 for vtg.at >> >> >> >> Also when I print the current keys: >> >> vtg.at KSK active 2015-07-15 >> 18:20:53 (retire) > > Have you manually run the enforcer? AFAIK the enforcer is run only once an > hour and it may have not run after you have updated the local time. > > regards > Klaus > >> >> >> >> Then I changed the date to 2015-07-16. Suddenly a second KSK was here. >> >> vtg.at KSK ready waiting for >> ds-seen (active) 2048 >> >> >> >> Why was the key not generated before the retire? I want that the key >> gets generated 10 days before he expires. >> >> Otherwise the chain of trust is broken. >> >> >> >> Can anybody help me? >> >> >> >> Best regards, >> >> Christoph >> >> >> >> >> >> _______________________________________________ >> Opendnssec-user mailing list >> [email protected] >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >> _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
