> is there a way to fix that even with the current version ? What Hoda said, the upgrade is the fix.
However a workaround might be possible. If I remember correctly the issue was that the enforcer during key generation would calculate the wrong number of ZSKs. It only happens in the case where your KSK and ZSK have the same key length. It would add the number of KSKs to the number of ZSKs and concluded it has enough ZSKs and doesn't need to generate more. A short term workaround: use "ods-ksmutil key generate --period PERIOD" to generate more keys. For PERIOD choose something bigger than the value from the conf. Say twice. Make sure the lifetime of the ZSK is shorter than the KSK or you'll probably hit the same problem. Long term workaround: Use a different key length for ZSK than KSK. None of this is tested. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
