On Mon, 2018-10-01 at 22:42 -0700, Diane Trout wrote: > Could you go into a bit more detail about how dnssec-triggerd-keygen > isn't working for you?
As mentioned in the initial mail in the bug by brian m. carlson, it creates the keys in /etc, not in /etc/dnssec-trigger and the latter is where dnssec-triggerd looks for the keys. > Because currently the easiest answer I can think of for this is to > delete the keys and restart the daemons on upgrade. That seems like the reasonable thing to do as long as the code for this checks that the keys are long enough for the new openssl. It should probably also add a trigger on the openssl files, so that merely upgrading openssl to the new version does the delete and restart. > Also I'm a bit surprised the panel is working. I guess this means > you're using something that is not gnome. I am using GNOME. The panel item was *not* working and thus generating the errors in the dnssec-triggerd logs. This is because after the key was replaced and the daemon restarted, it didn't reload the key from disk and use the new one instead of the old one. So the panel needs to handle a daemon restart (I assume it gets notification of that event) by reloading the key before connecting to the newly restarted daemon. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
