[Freeipa-users] DNSSEC active (?) ods-ksmutil

Petr Spacek pspacek at redhat.com
Fri May 13 12:39:02 UTC 2016 

On 13.5.2016 14:07, Günther J. Niederwimmer wrote:
> Hello Petr,
> 
> thank you for the answer
> 
> Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek:
>> On 13.5.2016 13:14, Günther J. Niederwimmer wrote:
>>> Cannot open destination file, will not make backup.
>>> No keys in the READY state matched your parameters, please check the
>>> parameters
>>
>> This is correct. Configured TTL did not expire yet so the key is not
>> "ready". See the column "Date of next transition". You will be able to
>> activate the key when this time passes.
>>
>> For detailed info please see
>> https://wiki.opendnssec.org/display/DOCS/Key+States
>>
>> If you are going to use DNSSEC please make sure to use very latests FreeIPA
>> 4.3.1 or newer. We fixed a lot of bugs in the last release.
> 
> My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository 
> for this System ?

You might either try
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
or wait for CentOS 7.3.

Petr^2 Spacek

> This is my private Server and I hope this is running correct ?
>  
>> Petr^2 Spacek
>>
>>> when i say
>>>
>>> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key
>>> list --verbose
>>> SQLite database set to: /var/opendnssec/kasp.db
>>> Keys:
>>> Zone:                           Keytype:      State:    Date of next
>>> transition (to):  Size:   Algorithm:  CKA_ID:
>>> Repository:                       Keytag:
>>> examle.com                        KSK           publish   2016-05-14
>>> 00:16:00 (ready)    3072    8           6145b3b71c448dfc1130d0f9d2caac79 
>>> SoftHSM 40447
>>> example.com                        ZSK           active    2016-08-11
>>> 10:16:00 (retire)   2048    8           d7fe5c98d5f3f89aefb9e8dfb92ebcb1 
>>> SoftHSM 60630
>>>
>>> The DS Record are published in the ".com" Domain
>>>
>>> dig +rrcomments example.com DS
>>> ;; ANSWER SECTION:
>>> example.com.               85610   IN      DS      40447 8 1
>>> 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913
>>> example.com.               85610   IN      DS      40447 8 2
>>> 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734
>>>
>>> Is this the correct status or have I to change anything ?
>>>
>>> Have I to change the KSK status form publish to active or is this correct
>>> ?
>>>
>>> Thanks for a answer
> 
> 


-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list