[Freeipa-users] DNSSEC active (?) ods-ksmutil

Günther J. Niederwimmer gjn at gjn.priv.at
Fri May 13 12:07:38 UTC 2016 

Hello Petr,

thank you for the answer

Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek:
> On 13.5.2016 13:14, Günther J. Niederwimmer wrote:
> > Cannot open destination file, will not make backup.
> > No keys in the READY state matched your parameters, please check the
> > parameters
> 
> This is correct. Configured TTL did not expire yet so the key is not
> "ready". See the column "Date of next transition". You will be able to
> activate the key when this time passes.
> 
> For detailed info please see
> https://wiki.opendnssec.org/display/DOCS/Key+States
> 
> If you are going to use DNSSEC please make sure to use very latests FreeIPA
> 4.3.1 or newer. We fixed a lot of bugs in the last release.

My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository 
for this System ?

This is my private Server and I hope this is running correct ?
 
> Petr^2 Spacek
> 
> > when i say
> > 
> > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key
> > list --verbose
> > SQLite database set to: /var/opendnssec/kasp.db
> > Keys:
> > Zone:                           Keytype:      State:    Date of next
> > transition (to):  Size:   Algorithm:  CKA_ID:
> > Repository:                       Keytag:
> > examle.com                        KSK           publish   2016-05-14
> > 00:16:00 (ready)    3072    8           6145b3b71c448dfc1130d0f9d2caac79 
> > SoftHSM 40447
> > example.com                        ZSK           active    2016-08-11
> > 10:16:00 (retire)   2048    8           d7fe5c98d5f3f89aefb9e8dfb92ebcb1 
> > SoftHSM 60630
> > 
> > The DS Record are published in the ".com" Domain
> > 
> > dig +rrcomments example.com DS
> > ;; ANSWER SECTION:
> > example.com.               85610   IN      DS      40447 8 1
> > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913
> > example.com.               85610   IN      DS      40447 8 2
> > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734
> > 
> > Is this the correct status or have I to change anything ?
> > 
> > Have I to change the KSK status form publish to active or is this correct
> > ?
> > 
> > Thanks for a answer


-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

More information about the Freeipa-users mailing list