-
Type: Bug
-
Status: Resolved
-
Priority: Minor
-
Resolution: Won't Fix
-
Affects Version/s: 1.4.14
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
From user mailing list:
Hello,
opendnssec version 1.4.13, kasp.xml attached.
We have all keys (KSK and ZSK) for the next 5 years pregenerated on the HSM.
<ManualRollover/> is set for the KSK.
Yet yesterday, on the day the KSK rollover was scheduled for, it just happened.
Jul 20 03:47:15 signer001 ods-enforcerd: Zone example.com found.
Jul 20 03:47:15 signer001 ods-enforcerd: Policy for example.com set to 1.
Jul 20 03:47:15 signer001 ods-enforcerd: Policy 1 found in DB.
Jul 20 03:47:15 signer001 ods-enforcerd: Config will be output to /ods-data/var/opendnssec/signconf/example.com.xml.
Jul 20 03:47:15 signer001 ods-enforcerd: KSK key allocation for zone example.com: 1 key(s) allocated
The new KSK was introduced into the zone and DNSKEY signed with both new and old KSK. What makes it even more annoying is that the ZSK was rolled at the same time (as expected), so now we ended having pretty big DNSKEY + RRSIG response.