On Sun, 2014-08-31 at 15:54 +0000, Abdalmonem Tharwat Galila wrote: > Thnx a bundle Jarno . > I do not understand what opendnssec mean by : > > WARNING: New KSK has reached the ready state; please submit the DS for myTLD > and use ods-ksmutil key ds-seen when the DS appears in the DNS.
OpenDNSSEC has created a new KSK and its been in "xn--wgbh1c" long enough to be properly propagated - so anyone doing a query for a KSK in your zone should find it. The DS record(s) for this KSK now need to be put in your zone's Parent. Once these DS record(s) have been there long enough to be SEEN by anyone looking, you should then inform OpenDNSSEC that the DS has been SEEN (ds-seen). This allows OpenDNSSEC to proceed. > Also when i run ods-ksmutil key list --verbose , i got that > > SQLite database set to: /var/opendnssec/kasp.db > Keys: > Zone: Keytype: State: Date of next > transition (to): Size: Algorithm: CKA_ID: > Repository: Keytag: > xn--wgbh1c KSK ready waiting for ds-seen > (active) 2048 8 105f92815149413be458e05138ba734f SoftHSM-KSK > 60047 > xn--wgbh1c ZSK active 2014-08-31 20:26:54 > (retire) 1024 8 91a2aa128ce554f23453dec10ce9833b SoftHSM-ZSK > 56364 > > What does waiting for ds-seen (active) ? > > thnx again for all your support > > > ________________________________________ > From: Jarno Huuskonen [[email protected]] > Sent: Sunday, August 31, 2014 4:32 PM > To: Abdalmonem Tharwat Galila > Cc: [email protected] > Subject: Re: [Opendnssec-user] Re: ods-enforcerd: Error creating key in > repository SoftHSM-KSK > > Hi, > > On Sun, Aug 31, Abdalmonem Tharwat Galila wrote: > > >> What do you have in softhsm.conf (/etc/softhsm.conf) ? > > > > 0:/var/softhsm/slot0.db > > 1:/var/softhsm/slot1.db > > 2:/var/softhsm/slot2.db > > > > >> Is the user account used for ods-enforcerd able to access the files > > >> defined in softhsm.conf (can change to the directory and read/write the > > >> files). > > > > How to get that user , you are talking about ? > > What do you have in your opendnssec conf.xml > (/etc/opendnssec/conf.xml?): > > Do you have something like: > <Enforcer> > <Privileges> > <User>ods</User> > <Group>ods</Group> > </Privileges> > > and something similar for <Signer> ? > > So assuming you have <User>ods</User> can you try for example: > su - -s/bin/bash ods > and after su (as user ods) > cd /var/softhsm > ls -l slot*.db > ls -l . > > Also after su can you check that your /var/named/zones/conf/ is > accessible: > (ls -l /var/named/zones/conf) > and > cd /var/named/zones/conf # if you get permission denied then > check that /var/named, /var/named/zones and /var/named/zones/conf > permissions allow access (for example ls -l). > > -Jarno > > -- > Jarno Huuskonen > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Mark James ELKINS - Posix Systems - (South) Africa [email protected] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
