"Yuri Schaeffer" schreef in bericht
news:46da313f-2c47-92b1-8c3d-cc1af1ec6...@nlnetlabs.nl...
Hi Fred,
The log message "If this is the result of a key rollover ..." suggests
(at least to me) that it is normal that a manual intervention is needed
during a roll-over, but we are not used to it.
Is this a bug, or is it the intended behavior?
Are there new options to be included in the configuration?
I'm guessing you use 'keep' strategy[0] for the SOA. Then you are
responsible to increment the serial yourself and the signer is unable to
push out updates when that hasn't happened.
The reason for the message is that the enforcer can have the signer
notified that a resign needs to happen. (because a key rollover for
example). But with this serial strategy the signer can't without a SOA
bump.
So make sure your serial in the input zone is greater than 2016091511.
But better would be to use 'datecounter' to let the signer manage the
serial.
Regards,
Yuri
[0]
https://wiki.opendnssec.org/display/DOCS20/kasp.xml#kasp.xml-ZoneInformation
When I change the serial in the input zone, I can do a "ods-signer
sign -all" once without problem and it will resign the zone.
When I try it a second time, it fails again with the same messages. Then I
have to update the serial again in the input zone.
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
