Hello fellows. I have some questions, maybe naive, but anyway I decided to write on the list. I found in my log following line:
WARNING: New KSK has reached the ready state; please submit the DS for > my_domain and use ods-ksmutil key ds-seen when the DS appears in the DNS. Currently KSK is in some weird state: my_domain KSK ready waiting for ds-seen (active) 3072 8 > ckaid1234567890 SoftHSM 99999 Which suggest that it is ready for rollover, however there is no new corresponding DNSKEY published. Running: sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key > export ckaid1234567890 Only exports the old KSK. So there are some questions: - Is the ODS database in sane state? - How does one exactly perform KSK rollover in FreeIPA? - Should I simply perform *ods-ksmutil key ds-seen* Best regards, Arek
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
