Hi > /usr/local/opendnssec/bin/ods-ksmutil key list --verbose > SQLite database set to: /var/opendnssec/kasp.db > Keys: > Zone: Keytype: State: Date of next > transition: CKA_ID: Repository: > Keytag: > co.nz KSK active 2010-04-15 > 16:29:10 3996d43aca8dea21830a1c9299d693ef softHSM 33249 > co.nz KSK ready waiting for > ds-seen b133bb8d3bb6664d73de0dcba5adc481 softHSM 33054 > co.nz KSK ready waiting for > ds-seen 6d895ad0b98a1e3deb63eca7c985fae8 softHSM 34773 > co.nz ZSK active 2010-04-17 > 16:29:10 a008c770853ff48e5db645e400e99e71 softHSM 35157 > co.nz ZSK ready next rollover > c92810080bea87634abd42cc7f3593ae softHSM > 57504 > > > But the output zone contains: > > name type keytag keytype algorithm > co.nz DNSKEY-23213 DNSKEY-ZSK 7 > co.nz DNSKEY-33054 DNSKEY-KSK 7 > co.nz DNSKEY-33249 DNSKEY-KSK 7 > co.nz DNSKEY-42044 DNSKEY-ZSK 7 > co.nz DNSKEY-47295 DNSKEY-ZSK 7 > co.nz DNSKEY-9516 DNSKEY-KSK 7
Have you done anything special with the rollovers or introduction of new keys? It is a little bit odd that only two of the keytags matches. What keys do you have in the signconf? co.nz.xml? > but the signatures for the zone records are generated using key 35157, > which is consistent with ksmutil output. To verify is not a BIND issue, > I checked the output signed zone and effectively didn't include the ZSK > but included some old rolled over keys. > > I proceeded to delete the signed zone and force the signing of the zone > using ods-signer sign co.nz. The result was the zone now contains the > right KSK/ZSK... Is OpenDNSSEC obtaining the DNSKEY for the existing > signed zone? Everything is done using the files in the working directory. So to clear the state of the Signer, then you should delete the files in the tmp-directory. // Rickard_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
