Hi Ok so I came right I added the zone entries in the zone table.
Then I added the keyData for the KSK’s and linked them to the correct zone and the correct key in the hsmKey table. I started and then stopped the OpenDNSSEC system. It created the default keyState entries I used that and the following commands to get the keys back to ACTIVE. ods-enforcer key list -d ods-enforcer key list -v - Side note it would be super useful to know what the database states = key states. The DNSKEY entries and the DNSKEY RRSIG still didn’t appear in the zone the sea is signed correctly. I then set nextChange in the zone table back, this started a ZSK rollover, I did that a few times and it got stuck on PUBLISH. I rolled the machine clock forward a day and the new ZSK changed to READY and the old one to RETIRE and the zone re-signed and contained all the DNSKEY entries and the DNSKEY RRSIG. I then rolled the machine clock back and resigned, the zone file looks fine all the RRSIG’s are valid and signed with the new ZSK. OpenDNSSEC shooting its own DB seems to be a rather drastic bug, what is the timeline on a fix for this? Regards — David Peall > On 26 Sep 2016, at 1:05 PM, David Peall <[email protected]> wrote: > > Hi > > I’ve been looking around I’m using the following to extract the DNSKEY values > out of the HSM and match them to the zone files so I can re link them in the > database. > KSK - ods-hsmutil dnskey <id> test 257 8 > ZSK - ods-hsmutil dnskey <id> test 257 8 Typo ZSK - ods-hsmutil dnskey <id> test 256 8 > > The rest of the database looks fairly straight forward if there is any heads > up I’d appreciate it. > > Regards > — > David Peall > > >> On 26 Sep 2016, at 12:30 PM, David Peall <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi >> >> Is it possible to rebuild the database for 3 zones that were delete from the >> database. ods-signer is still signing the 3 domains: >> >> ods-signer zones >> There are 3 zones configured >> - 1 >> - 2 >> - 3 >> >> ods-enforcer zone list >> Database set to: opendnssec >> No zones in database. >> zone list completed in 0 seconds. >> >> Keys are still in the HSM. >> >> I need to keep the KSK at minimum the ZSK and RRSIG records can be >> re-generated. >> >> Regards >> — >> David Peall >> >> _______________________________________________ >> Opendnssec-user mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
