[Freeipa-users] DNSSEC active (?) ods-ksmutil
Petr Spacek
pspacek at redhat.com
Fri May 13 11:35:57 UTC 2016
On 13.5.2016 13:14, Günther J. Niederwimmer wrote:
> Hello,
> I have activated now my domain with DNSSEC but I mean I have a Problem to set
> it ACTIVE ?
>
> I install and Test it from
> https://www.freeipa.org/page/Howto/DNSSEC
>
> but my output from
> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds-
> seen --zone example.com --keytag 40447
> is
>
> Cannot open destination file, will not make backup.
> No keys in the READY state matched your parameters, please check the
> parameters
This is correct. Configured TTL did not expire yet so the key is not "ready".
See the column "Date of next transition". You will be able to activate the key
when this time passes.
For detailed info please see
https://wiki.opendnssec.org/display/DOCS/Key+States
If you are going to use DNSSEC please make sure to use very latests FreeIPA
4.3.1 or newer. We fixed a lot of bugs in the last release.
Petr^2 Spacek
>
> when i say
>
> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list
> --verbose
> SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone: Keytype: State: Date of next
> transition (to): Size: Algorithm: CKA_ID:
> Repository: Keytag:
> examle.com KSK publish 2016-05-14 00:16:00
> (ready) 3072 8 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM
> 40447
> example.com ZSK active 2016-08-11 10:16:00
> (retire) 2048 8 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM
> 60630
>
> The DS Record are published in the ".com" Domain
>
> dig +rrcomments example.com DS
> ;; ANSWER SECTION:
> example.com. 85610 IN DS 40447 8 1
> 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913
> example.com. 85610 IN DS 40447 8 2
> 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734
>
> Is this the correct status or have I to change anything ?
>
> Have I to change the KSK status form publish to active or is this correct ?
>
> Thanks for a answer
More information about the Freeipa-users
mailing list