I am trying to use zkt-keyman -1 domain.dd to initiate semi-automatic KSK rollover, then after the propagation of the new key
Ok, this means you have to initiate every step manually!
If phase3 is done autmatically then this is a bug, or you are using zkt in a hierachical way with automated KSK rollover in place.ZKT switches to KSK roll phase2, this is when admin needs to post new DS record to parent, after that ZKT automatically switches to phase3 and removes old KSK.
Could you pleace give me some insight if the parent is hosted by the same server and under control of zkt? Maybe this leads zkt-signer to take over your manually started KSK rollover.
I think this is a problem in case admin did not send a new DS to a parent zone and in phase3 the active key has been removed. Then parent
Yes, for sure, this is a problem.
zone will contain a DS record of the old KSK and zone will contain the new KSK and zone will become bogous. Maybe phase3 also should be called manually with zkt-keyman 3 domain.dd. ?
Yes, if it is started manually, all must be done manually.
Here are the logs - 2012-02-23 08:30:01.088: debug: kskrollover: we are in state 2 and waiting for parent propagation (parentfile 7200sec< parentprop 300sec + parentkeyttl 7200sec 2012-02-23 08:36:01.663: debug: kskrollover: remove parentfile and rename old key to kdomain.dd.+008+30177.key 2012-02-23 08:36:01.663: info: "domain.dd.": kskrollover phase3: Remove old key 30177
Thanks for the hint. I will look into the code to see if it is possible to detect the manual KSK rollover in an automated envireonment.
Best regards Holger
smime.p7s
Description: S/MIME Kryptografische Unterschrift
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users
