Re: [Opendnssec-user] Error allocating ksks / zsks

Wed, 03 Feb 2016 00:42:05 -0800 

For the other zone, the 2.1.2.6.1.9.3.7.7.4.nrenum.net zone, I
tried another approach, namely I tried to initiate a manual key
rollover for both the ZSK and the KSK:

ods @ hugin: {22} ods-ksmutil key list --all --zone 
2.1.2.6.1.9.3.7.7.4.nrenum.net
Keys:
Zone:                           Keytype:      State:    Date of next transition:
2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-12-09 23:42:31 
2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active    2016-01-06 00:25:00 

ods @ hugin: {23} ods-ksmutil key rollover --zone 
2.1.2.6.1.9.3.7.7.4.nrenum.net -t zsk

Manual key rollover for key type zsk on zone 2.1.2.6.1.9.3.7.7.4.nrenum.net 
initiated
Notifying enforcer of new database...
ods @ hugin: {24} ods-ksmutil key list --all --zone 
2.1.2.6.1.9.3.7.7.4.nrenum.net
Keys:
Zone:                           Keytype:      State:    Date of next transition:
2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-12-09 23:42:31 
2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active    2016-02-03 09:33:23 

ods @ hugin: {25} ods-ksmutil key rollover --zone 
2.1.2.6.1.9.3.7.7.4.nrenum.net -t ksk

Manual key rollover for key type ksk on zone 2.1.2.6.1.9.3.7.7.4.nrenum.net 
initiated
Notifying enforcer of new database...
ods @ hugin: {26} ods-ksmutil key list --all --zone 
2.1.2.6.1.9.3.7.7.4.nrenum.net
Keys:
Zone:                           Keytype:      State:    Date of next transition:
2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-02-03 09:34:38 
2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active    2016-02-03 09:33:23 

ods @ hugin: {27} 

Looking at the log I still see errors of this type:

Feb  3 09:35:00 hugin ods-enforcerd: Not enough keys to satisfy zsk policy for 
zone: 2.1.2.6.1.9.3.7.7.4.nrenum.net. keys_to_allocate(1) = keys_needed(1) - 
(keys_available(1) - keys_pending_retirement(1)) 
Feb  3 09:35:00 hugin ods-enforcerd: Tried to allocate 1 keys, failed on 
allocating key number 1
Feb  3 09:35:00 hugin ods-enforcerd: ods-enforcerd will create some more keys 
on its next run
Feb  3 09:35:00 hugin ods-enforcerd: Error allocating zsks to zone 
2.1.2.6.1.9.3.7.7.4.nrenum.net

and similarly for the attempt at rolling the ZSK.

Bah!

Regards,

- HÃ¥vard
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to