>>> In case the enforcer logged an error it should prepend it with >>> 'keystate_ds_x_cmd'. So please grep your logs for that. >> >> I've something amiss re state mgmt. >> >> at verbosity = 6, on exec >> >> /usr/local/opendnssec/sbin/ods-enforcer zone add -z example.info -p lab >> >> there's no such log entry, > > Again, after zone add the DS doesn't get submitted immediately. > OpenDNSSEC should first have to make sure the keys and signatures are > sufficiently propagated. You'll have to wait for the "waiting for > ds-seen" state.
If I recall correctly, with OpenDNSSEC 1.4, I think you also had to wait for the keys in the (Soft)HSM database to be marked as being "backed up" in order for the keys to proceed to the state before "waiting for ds-seen", which I think is "publish", not sure what the state before that is called. Not sure if that's the case with OpenDNSSEC 2.0, though; I've not dared venture into that quite yet. Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
