Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil
On 13.5.2016 14:07, Günther J. Niederwimmer wrote: > Hello Petr, > > thank you for the answer > > Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek: >> On 13.5.2016 13:14, Günther J. Niederwimmer wrote: >>> Cannot open destination file, will not make backup. >>> No keys in the READY state matched your parameters, please check the >>> parameters >> >> This is correct. Configured TTL did not expire yet so the key is not >> "ready". See the column "Date of next transition". You will be able to >> activate the key when this time passes. >> >> For detailed info please see >> https://wiki.opendnssec.org/display/DOCS/Key+States >> >> If you are going to use DNSSEC please make sure to use very latests FreeIPA >> 4.3.1 or newer. We fixed a lot of bugs in the last release. > > My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any > repository > for this System ? You might either try https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ or wait for CentOS 7.3. Petr^2 Spacek > This is my private Server and I hope this is running correct ? > >> Petr^2 Spacek >> >>> when i say >>> >>> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key >>> list --verbose >>> SQLite database set to: /var/opendnssec/kasp.db >>> Keys: >>> Zone: Keytype: State:Date of next >>> transition (to): Size: Algorithm: CKA_ID: >>> Repository: Keytag: >>> examle.comKSK publish 2016-05-14 >>> 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 >>> SoftHSM 40447 >>> example.comZSK active2016-08-11 >>> 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 >>> SoftHSM 60630 >>> >>> The DS Record are published in the ".com" Domain >>> >>> dig +rrcomments example.com DS >>> ;; ANSWER SECTION: >>> example.com. 85610 IN DS 40447 8 1 >>> 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 >>> example.com. 85610 IN DS 40447 8 2 >>> 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 >>> >>> Is this the correct status or have I to change anything ? >>> >>> Have I to change the KSK status form publish to active or is this correct >>> ? >>> >>> Thanks for a answer > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil
Hello Petr, thank you for the answer Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek: > On 13.5.2016 13:14, Günther J. Niederwimmer wrote: > > Cannot open destination file, will not make backup. > > No keys in the READY state matched your parameters, please check the > > parameters > > This is correct. Configured TTL did not expire yet so the key is not > "ready". See the column "Date of next transition". You will be able to > activate the key when this time passes. > > For detailed info please see > https://wiki.opendnssec.org/display/DOCS/Key+States > > If you are going to use DNSSEC please make sure to use very latests FreeIPA > 4.3.1 or newer. We fixed a lot of bugs in the last release. My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository for this System ? This is my private Server and I hope this is running correct ? > Petr^2 Spacek > > > when i say > > > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key > > list --verbose > > SQLite database set to: /var/opendnssec/kasp.db > > Keys: > > Zone: Keytype: State:Date of next > > transition (to): Size: Algorithm: CKA_ID: > > Repository: Keytag: > > examle.comKSK publish 2016-05-14 > > 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 > > SoftHSM 40447 > > example.comZSK active2016-08-11 > > 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 > > SoftHSM 60630 > > > > The DS Record are published in the ".com" Domain > > > > dig +rrcomments example.com DS > > ;; ANSWER SECTION: > > example.com. 85610 IN DS 40447 8 1 > > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 > > example.com. 85610 IN DS 40447 8 2 > > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 > > > > Is this the correct status or have I to change anything ? > > > > Have I to change the KSK status form publish to active or is this correct > > ? > > > > Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil
On 13.5.2016 13:14, Günther J. Niederwimmer wrote: > Hello, > I have activated now my domain with DNSSEC but I mean I have a Problem to set > it ACTIVE ? > > I install and Test it from > https://www.freeipa.org/page/Howto/DNSSEC > > but my output from > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds- > seen --zone example.com --keytag 40447 > is > > Cannot open destination file, will not make backup. > No keys in the READY state matched your parameters, please check the > parameters This is correct. Configured TTL did not expire yet so the key is not "ready". See the column "Date of next transition". You will be able to activate the key when this time passes. For detailed info please see https://wiki.opendnssec.org/display/DOCS/Key+States If you are going to use DNSSEC please make sure to use very latests FreeIPA 4.3.1 or newer. We fixed a lot of bugs in the last release. Petr^2 Spacek > > when i say > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list > --verbose > SQLite database set to: /var/opendnssec/kasp.db > Keys: > Zone: Keytype: State:Date of next > transition (to): Size: Algorithm: CKA_ID: > Repository: Keytag: > examle.comKSK publish 2016-05-14 00:16:00 > (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM > > 40447 > example.comZSK active2016-08-11 > 10:16:00 > (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM > 60630 > > The DS Record are published in the ".com" Domain > > dig +rrcomments example.com DS > ;; ANSWER SECTION: > example.com. 85610 IN DS 40447 8 1 > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 > example.com. 85610 IN DS 40447 8 2 > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 > > Is this the correct status or have I to change anything ? > > Have I to change the KSK status form publish to active or is this correct ? > > Thanks for a answer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC active (?) ods-ksmutil
Hello, I have activated now my domain with DNSSEC but I mean I have a Problem to set it ACTIVE ? I install and Test it from https://www.freeipa.org/page/Howto/DNSSEC but my output from sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds- seen --zone example.com --keytag 40447 is Cannot open destination file, will not make backup. No keys in the READY state matched your parameters, please check the parameters when i say sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list --verbose SQLite database set to: /var/opendnssec/kasp.db Keys: Zone: Keytype: State:Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: examle.comKSK publish 2016-05-14 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM 40447 example.comZSK active2016-08-11 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM 60630 The DS Record are published in the ".com" Domain dig +rrcomments example.com DS ;; ANSWER SECTION: example.com. 85610 IN DS 40447 8 1 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 example.com. 85610 IN DS 40447 8 2 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 Is this the correct status or have I to change anything ? Have I to change the KSK status form publish to active or is this correct ? Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project