Hello Sion, If I try to pregenerate keys on policies with
ods-ksmutil key generate --policy X --interval P30D then I would expect to see enough keys to last 30 days. Our policies use shared keys, could that be the reason why we're not seeing keys generated? Also, the problem of not generating keys occurs on those that have no zones assigned. I'm looking in the MySQL database for this. What I've noticed is that the dnsseckeys table mentions zone_id and not a policy_id; so if a policy has no zones it could not have a record in there. OTOH, in the keypairs table this would be possible, as it does mention a policy_id. What we're trying to do is pregenerate key pairs for each policy, so the first zone that is registered under it can immediately be signed, without the need to wait for the backup procedure. IOW, this is a bit of a nuisance but not an emergency of any kind. Any light you can shed on this is welcome. Thanks, Rick van Rein for SURFnet _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
