On 14.11.2013 15:13, Matthijs Mekking wrote:
On 11/14/2013 02:26 PM, Klaus Darilion wrote:
Meanwhile I restarted the ods-signer daemon and after the next zone file
update, ods signed with the correct key. So for now it is fixed, but do
you have any ideas why the signer still used the old KSK after the KSK
rollover?
Can you perhaps provide logs (off list if you wish)?
We have syslog logging, but this is rather quiet. Is there anything
special for which I should look?
I Just wanted to make sure no warnings or errors were logged.
I just checked the logs. The enforcer logged the rollovers (eg. waiting
for ds-seen, ...), but no errors or warnings. Also the signer did no
logged any warnings/errors. We triggered both - a manual ZSK rollover,
followed by a manual KSK rollover and both showed the same problem. The
enforcer switched to the new key, but the signer still used the old key.
I also checked the signed zone files (we backup them after every signing
run): The new KSK and the new ZSK newer showed up in the zone file, only
when I restarted the signer daemon, it switched from the old to the new
keys.
regards
Klaus
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
