[Freeipa-users] DNSSEC KSK rollover
Petr Spacek
pspacek at redhat.com
Mon Feb 29 10:22:53 UTC 2016
On 28.2.2016 14:51, Peter Fern wrote:
> Hi all,
> A new KSK has been auto-generated, and it's transitioned through
> 'published' and is now sitting in the 'ready' state, but does not appear
> as a DNSKEY record on the zone. I can see that ods-enforcerd has picked
> up the state change correctly and logged a DSChanged event with the
> correct output for the new DNSKEY record, and it appears as expected in
> localhsm, but is not published on the zone.
>
> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with
> the rollover?
Hi,
I would recommend you to wait until fix
https://fedorahosted.org/freeipa/ticket/5334
is released in 4.3.1 or so.
After that you can use procedure described on page
http://www.freeipa.org/page/Howto/DNSSEC
to run ds-seen command.
I hope this helps.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list