The zone has been resigned since the issuance of the new ksk. Le 11/02/18 à 19:54, Jake Zack a écrit : > Is it possible you haven't published a new zone yet with the new key? > > Can you force a re-sign? > > -jake > > -----Original Message----- > From: Opendnssec-user <[email protected]> On > Behalf Of Erwan David > Sent: November-02-18 2:41 PM > To: [email protected] > Subject: [Opendnssec-user] KSK rollover gone wrong > > Hi, it is my first KSK rollover with opendnssec 2.x (2.1.3) > > As DelegationSignerSubmitCommand I have a script which sends me the new > DNSKEY record. > > So now I have following state : > > root@ns:~ # ods-enforcer key list -v > Keys: > Zone: Keytype: State: Date of next > transition: Size: Algorithm: CKA_ID: > Repository: KeyTag: rail.eu.org KSK retire > waiting for ds-gone 2048 8 b656abe183f04bb79532cef7e560f385 > SoftHSM 60025 rail.eu.org ZSK retire > 2018-11-10 > 06:40:45 1024 8 3be292fdeffa05c2fb7094aad65bdc9f SoftHSM > 58794 rail.eu.org ZSK ready 2018-11-10 > 06:40:45 1024 8 06f37e2866ef467c02b1f14aa7835dc8 SoftHSM > 33120 rail.eu.org KSK ready waiting for ds-seen > 2048 8 27511d0b7ff7ca21510317ad95be546a SoftHSM 43375 > > So following the doc I issued the following > > root@ns:~ # ods-enforcer key ds-submit -z rail.eu.org -x 43375 > 0 KSK matches found. > 0 KSKs changed. > > And DNSKEY 43375 is not in the signed zone (only 60025 for KSK). > > My registrars checks I publish the DNSKEY record before publishing the DS > thus I cannot add it. > > What should I do in this situation ? > > Thanks. > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
