Re: [Opendnssec-user] termination of obs2 DelegationSignerSubmitCommand input stream missing?

Mon, 19 Dec 2016 14:23:42 -0800 

On 12/19/2016 01:59 PM, Yuri Schaeffer wrote:
>> I suspect it's waiting for termination.
> 
> At this point I haven't looked in to it yet but judging from your mail
> I'd say the script simply isn't called yet. It takes some time for the
> zone to be ready to introduce the DS records. Only when it is it will
> call the script.
> 
> Try "ods-enforcer key list". If the state of the KSK isn't 'waiting for
> ds-seen' the DS record is simply not submitted.

that shows that it IS ...

        /usr/local/opendnssec/sbin/ods-enforcer key list --verbose
                Keys:
                Zone:                           Keytype: State:    Date of next 
transition: Size: Algorithm: CKA_ID:                          Repository: 
KeyTag:
                example.info                    KSK      ready     waiting for 
ds-seen      2048  8          690c90a78f1ba38fcbf76f248a4fe47e SoftHSM     56995
                example.info                    ZSK      active    2016-12-19 
17:25:55      1024  8          0c60caf105ce9edef9048b19eed84db9 SoftHSM     6126

reading,

        https://www.opendnssec.org/documentation/using-opendnssec/

suggests exec'ing

        /usr/local/opendnssec/sbin/ods-ksmutil key ds-seen -z example.info -x 
56995

but

        ls /usr/local/opendnssec/sbin/ods-ksmutil
                ls: cannot access '/usr/local/opendnssec/sbin/ods-ksmutil': No 
such file or directory
        find /usr/local/opendnssec/ | grep ksm
                (empty)

this

        https://wiki.opendnssec.org/display/DOCS20/conf.xml

refers to

        ods-ksmutil

@ src, 

        cat NEWS
                ...
                * OPENDNSSEC-390: ods-ksmutil: Add an option to the 
'ods-ksmutil key ds-seen'
                  command so the user can choose not to notify the enforcer.
                ...

after a bit of digging, seems !ods-ksmutil, but ods-enforcer is to be used 
(would be helpful if DOCS reflected that)

        /usr/local/opendnssec/sbin/ods-enforcer key ds-seen -z example.info -x 
56995
                1 KSK matches found.
                1 KSKs changed.

now,

        /usr/local/opendnssec/sbin/ods-enforcer key list --verbose
                Keys:
                Zone:                           Keytype: State:    Date of next 
transition: Size: Algorithm: CKA_ID:                          Repository: 
KeyTag:
                example.info                    KSK      active    2016-12-19 
17:25:55      2048  8          690c90a78f1ba38fcbf76f248a4fe47e SoftHSM     
56995
                example.info                    ZSK      active    2016-12-19 
17:25:55      1024  8          0c60caf105ce9edef9048b19eed84db9 SoftHSM     6126

So a state change, but still no email sent.

Is there another step, or different action, needed?



_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to