On 02/24/2014 03:49 PM, Emil Natan wrote: > Hello, > > I apologize in advance in case I'm missing something obvious. > Here is the problem. I have ODS running managing 3 zones. I started with > these 3 zones and did not added more zones until now. Now I add new zone > test.org <http://test.org>, I tried both ways using "ods-ksmutil zone > add" command and editing the zonelist file manually, in both cases I > finish with zonelist containing the new zone. Then I run "ods-ksmutil > update all" which shows no errors. > > zonelist filename set to /usr/local/ods/etc/opendnssec/zonelist.xml. > kasp filename set to /usr/local/ods/etc/opendnssec/kasp.xml. > Repository Keyper found > No Maximum Capacity set. > RequireBackup set. > INFO: The XML in /usr/local/ods/etc/opendnssec/conf.xml is valid > INFO: The XML in /usr/local/ods/etc/opendnssec/zonelist.xml is valid > INFO: The XML in /usr/local/ods/etc/opendnssec/kasp.xml is valid > > In the log file I see: > > Feb 24 16:26:17 catwoman ods-enforcerd: Zone test.org <http://test.org> > found. > Feb 24 16:26:17 catwoman ods-enforcerd: Policy for test.org > <http://test.org> set to lab. > Feb 24 16:26:17 catwoman ods-enforcerd: Config will be output to > /usr/local/ods/var/opendnssec/signconf/test.org.xml. > Feb 24 16:26:17 catwoman ods-enforcerd: Not enough keys to satisfy zsk > policy for zone: test.org <http://test.org> > Feb 24 16:26:17 catwoman ods-enforcerd: ods-enforcerd will create some > more keys on its next run > Feb 24 16:26:17 catwoman ods-enforcerd: Error allocating zsks to zone > test.org <http://test.org> > Feb 24 16:26:17 catwoman ods-enforcerd: Disconnecting from Database... > Feb 24 16:26:17 catwoman ods-enforcerd: Sleeping for 20864 seconds. > > Restart of the ods-enforcerd does not help and it logs exactly the same > lines. test.org.xml is also not written under signconf and the > permissions on that directory seem fine. > I'm running ODS 1.4.
The ZSK policy indicates probably that you have backups required for keys (the output from 'ods-ksmutil update all' also suggests this). After adding a new zone, the new keys needs to be generated, then backed up, and only then you can sign a zone with it. If you run a daily backup job that does the backups (like I have), you'll need to wait up to 24 hours before the new zone is actually signed.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
