-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Håvard,
For now I made an issue in our tracker for it https://issues.opendnssec.org/browse/OPENDNSSEC-752 Regards, Yuri On 25-01-16 15:35, Havard Eidnes wrote: > Hi, > > I had reason to inspect the log from the physical console on our > signer host, and found messages from ods-enforcerd related to two > of our zones: > > Jan 24 17:07:01 hugin ods-enforcerd: Error allocating ksks to zone > godegrep.no Jan 24 17:07:16 hugin ods-enforcerd: Error allocating > zsks to zone 2.1.2.6.1.9.3.7.7.4.nrenum.net > > and that this is a recurring theme. > > Looking at the log reveals a bit more: > > Jan 25 14:12:48 hugin ods-enforcerd: Zone godegrep.no found. Jan 25 > 14:12:48 hugin ods-enforcerd: Policy for godegrep.no set to > default. Jan 25 14:12:48 hugin ods-enforcerd: Config will be output > to /var/opendnssec/signconf/godegrep.no.xml. Jan 25 14:12:48 hugin > ods-enforcerd: Not enough keys to satisfy ksk policy for zone: > godegrep.no. keys_to_allocate(1) = keys_needed(1) - > (keys_available(1) - keys_pending_retirement(1)) Jan 25 14:12:48 > hugin ods-enforcerd: Tried to allocate 1 keys, failed on allocating > key number 1 Jan 25 14:12:48 hugin ods-enforcerd: ods-enforcerd > will create some more keys on its next run Jan 25 14:12:48 hugin > ods-enforcerd: Error allocating ksks to zone godegrep.no > > It seems to me that the calculation above wrt. keys_to_allocate is > correct, but the statement that ods-enforcerd will create more keys > on its next run appears to be a blatant lie. > > Listing the keys for these zones reveals that some of the "Date of > next transition" has come and gone without the transition to the > next state having taken place, and one of the key sets has a key in > "generate" state which isn't visible witout the "-all" switch: > > ods @ hugin: {6} ods-ksmutil key list -all --zone godegrep.no > Keys: Zone: Keytype: State: Date > of next transition: godegrep.no KSK > active 2015-12-13 15:12:43 godegrep.no ZSK > retire 2015-12-29 09:45:48 godegrep.no ZSK > active 2016-01-07 04:30:48 godegrep.no ZSK > generate (not scheduled) > > ods @ hugin: {7} ods-ksmutil key list --all --zone > 2.1.2.6.1.9.3.7.7.4.nrenum.net Keys: Zone: > Keytype: State: Date of next transition: > 2.1.2.6.1.9.3.7.7.4.nrenum.net KSK active 2016-12-09 > 23:42:31 2.1.2.6.1.9.3.7.7.4.nrenum.net ZSK active > 2016-01-06 00:25:00 > > ods @ hugin: {8} > > I'm not sure when this started. > > So... > > 1) Any idea how OpenDNSSEC got itself into this state? > > 2) Are there any manual steps I have to perform to get it out of > this state for these two zones? > > 3) Rhetorical: why doesn't OpenDNSSEC recover by itself from this? > > > Best regards, > > - Håvard _______________________________________________ > Opendnssec-user mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlap4BMACgkQI3PTR4mhaviRvgCgoYBMVUFAMkjqDZ/ster8n5G5 MwoAoL8HgOSsNoeCD1Dpg+PGzi+TGizc =pWOH -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
