> after a bit of digging, seems !ods-ksmutil, but ods-enforcer is to be used 
> (would be helpful if DOCS reflected that)

Whoops, I'll update the 2.0 documentation. There where multiple
erroneous mentions of ods-ksmutil.

>       /usr/local/opendnssec/sbin/ods-enforcer key ds-seen -z example.info -x 
> 56995
>               1 KSK matches found.
>               1 KSKs changed.
> 
> now,
> 
>       /usr/local/opendnssec/sbin/ods-enforcer key list --verbose
>               Keys:
>               Zone:                           Keytype: State:    Date of next 
> transition: Size: Algorithm: CKA_ID:                          Repository: 
> KeyTag:
>               example.info                    KSK      active    2016-12-19 
> 17:25:55      2048  8          690c90a78f1ba38fcbf76f248a4fe47e SoftHSM     
> 56995
>               example.info                    ZSK      active    2016-12-19 
> 17:25:55      1024  8          0c60caf105ce9edef9048b19eed84db9 SoftHSM     
> 6126
> 
> So a state change, but still no email sent.
> Is there another step, or different action, needed?

The email should have been sent at an earlier stage. Internally DS
records have these states:

* unsubmitted
* submit
* submitted (waiting for ds-seen)
* seen
* retract
* retracted

The transition between submit and submitted should go automatically when
you have a DelegationSignerSubmitCommand specified. Like you have.

In case the enforcer logged an error it should prepend it with
'keystate_ds_x_cmd'. So please grep your logs for that.

//Yuri

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to