> after a bit of digging, seems !ods-ksmutil, but ods-enforcer is to be used > (would be helpful if DOCS reflected that)
Whoops, I'll update the 2.0 documentation. There where multiple erroneous mentions of ods-ksmutil. > /usr/local/opendnssec/sbin/ods-enforcer key ds-seen -z example.info -x > 56995 > 1 KSK matches found. > 1 KSKs changed. > > now, > > /usr/local/opendnssec/sbin/ods-enforcer key list --verbose > Keys: > Zone: Keytype: State: Date of next > transition: Size: Algorithm: CKA_ID: Repository: > KeyTag: > example.info KSK active 2016-12-19 > 17:25:55 2048 8 690c90a78f1ba38fcbf76f248a4fe47e SoftHSM > 56995 > example.info ZSK active 2016-12-19 > 17:25:55 1024 8 0c60caf105ce9edef9048b19eed84db9 SoftHSM > 6126 > > So a state change, but still no email sent. > Is there another step, or different action, needed? The email should have been sent at an earlier stage. Internally DS records have these states: * unsubmitted * submit * submitted (waiting for ds-seen) * seen * retract * retracted The transition between submit and submitted should go automatically when you have a DelegationSignerSubmitCommand specified. Like you have. In case the enforcer logged an error it should prepend it with 'keystate_ds_x_cmd'. So please grep your logs for that. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
