[Freeipa-users] DNSSEC KSK rollover

Petr Spacek pspacek at redhat.com
Mon Feb 29 10:22:53 UTC 2016


On 28.2.2016 14:51, Peter Fern wrote:
> Hi all,
> A new KSK has been auto-generated, and it's transitioned through
> 'published' and is now sitting in the 'ready' state, but does not appear
> as a DNSKEY record on the zone.  I can see that ods-enforcerd has picked
> up the state change correctly and logged a DSChanged event with the
> correct output for the new DNSKEY record, and it appears as expected in
> localhsm, but is not published on the zone.
> 
> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with
> the rollover?

Hi,

I would recommend you to wait until fix
https://fedorahosted.org/freeipa/ticket/5334
is released in 4.3.1 or so.

After that you can use procedure described on page
http://www.freeipa.org/page/Howto/DNSSEC
to run ds-seen command.

I hope this helps.

-- 
Petr^2 Spacek




More information about the Freeipa-users mailing list