> So, I'm a bit stuck, because the enforcer tells me : > > Jul 7 10:56:20 ns1 ods-enforcerd: WARNING: KSK Retirement reached; please > submit the new DS for 242.143.79.in-addr.arpa and use ods-ksmutil key > ksk-roll to roll the key. > > Which I can't do, because the DS can't be accepted :-) > > Chicken, Egg...
This message is during a scheduled rollover and so a replacement key _should_ have been prepublished in the zone. The situation where the DS exists without the key being in the zone is for a standby KSK only. Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
