On 28.2.2016 14:51, Peter Fern wrote: > Hi all, > A new KSK has been auto-generated, and it's transitioned through > 'published' and is now sitting in the 'ready' state, but does not appear > as a DNSKEY record on the zone. I can see that ods-enforcerd has picked > up the state change correctly and logged a DSChanged event with the > correct output for the new DNSKEY record, and it appears as expected in > localhsm, but is not published on the zone. > > Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with > the rollover?
Hi, I would recommend you to wait until fix https://fedorahosted.org/freeipa/ticket/5334 is released in 4.3.1 or so. After that you can use procedure described on page http://www.freeipa.org/page/Howto/DNSSEC to run ds-seen command. I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project