Hi Yuri,

I have been a few days away, so I read your message now.

I am a bit confused about your reply. Does it refer to my first question, in an earlier mail, about the refusal of the signer to sign the zone because of the serial?
This was indeed solved with "ods-enforcer policy import".
However, a few days later we got this new problem with a ZSK roll-over, where ods 2.0.1 completely ruined the zone. No active ZSK was left. The retiring keys were not in the signed zone, but most of the records were still signed with the retiring keys. Some more "ods-enforcer policy import" did not help (of course). Only a few records were signed with the ready ZSK, which was also in the zone. Only those records could be used with DNSsec verification.
Finally, my collegue deleted the zone from the database.
So, I am not able to send you any other information.

Could it be that this problem was also caused by a migration problem, or is it something else?

Regards,
Fred.Zwarts.


"Yuri Schaeffer" schreef in bericht news:0bc2193f-292a-4952-5791-92ec713bc...@nlnetlabs.nl...

Hi Fred,

My colleague Hoda found the error. The SOA serial strategy is numbered
differently between 1.4 and 2.0. This is actually a problem with the
migration script not taking this in to account.

What should solve your issue is running

ods-enforcer policy import

Your kasp.xml will be reread and any differences applied.

Alternatively you could do it manually in your database (assuming
default policy):

UPDATE policy SET zoneSoaSerial=1 WHERE name = 'default';

I expect that field in your database to be 3. Which was 'datacounter' in
1.4. But maps to 'keep' in 2.0.

For us left to do is update the migration script.

Regards,
Yuri







_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to