Is it possible you haven't published a new zone yet with the new key? Can you force a re-sign?
-jake -----Original Message----- From: Opendnssec-user <[email protected]> On Behalf Of Erwan David Sent: November-02-18 2:41 PM To: [email protected] Subject: [Opendnssec-user] KSK rollover gone wrong Hi, it is my first KSK rollover with opendnssec 2.x (2.1.3) As DelegationSignerSubmitCommand I have a script which sends me the new DNSKEY record. So now I have following state : root@ns:~ # ods-enforcer key list -v Keys: Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag: rail.eu.org KSK retire waiting for ds-gone 2048 8 b656abe183f04bb79532cef7e560f385 SoftHSM 60025 rail.eu.org ZSK retire 2018-11-10 06:40:45 1024 8 3be292fdeffa05c2fb7094aad65bdc9f SoftHSM 58794 rail.eu.org ZSK ready 2018-11-10 06:40:45 1024 8 06f37e2866ef467c02b1f14aa7835dc8 SoftHSM 33120 rail.eu.org KSK ready waiting for ds-seen 2048 8 27511d0b7ff7ca21510317ad95be546a SoftHSM 43375 So following the doc I issued the following root@ns:~ # ods-enforcer key ds-submit -z rail.eu.org -x 43375 0 KSK matches found. 0 KSKs changed. And DNSKEY 43375 is not in the signed zone (only 60025 for KSK). My registrars checks I publish the DNSKEY record before publishing the DS thus I cannot add it. What should I do in this situation ? Thanks. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
