[Opendnssec-user] ods-ksmutil key export --all not exporting key's

Discussion:

Bas van den Dikkenberg

2016-11-19 15:12:46 UTC

Hello,

For some kind of reason ods-enforcer key export -all doesn't export any thing:

***@scripting:~# ods-enforcer key export --all
key export completed in 0 seconds.

If I do key list I see my keys:

***@scripting:~# ods-enforcer key list
Keys:
Zone: Keytype: State: Date of next transition:
hccregiodagen.nl KSK active 2016-11-19 17:57:43
hccregiodagen.nl ZSK active 2016-11-19 17:57:43
linuxthemadag.nl KSK active 2016-11-19 17:57:43
linuxthemadag.nl ZSK active 2016-11-19 17:57:43
software-freedom-day.nl KSK active 2016-11-19 17:57:43
software-freedom-day.nl ZSK active 2016-11-19 17:57:43
offline.hobby.nl KSK active 2016-11-19 17:01:03
offline.hobby.nl ZSK active 2016-11-19 17:01:03
test.local KSK active 2016-11-19 19:42:42
test.local ZSK active 2016-11-19 19:42:42
231.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
231.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
230.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
230.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
228.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
228.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
226.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
226.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
225.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
225.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
key list completed in 0 seconds.
***@scripting:~#

What am I doing wrong ?

Bas

(Berry) A.W. van Halderen

2016-11-19 16:51:35 UTC

Permalink

Post by Bas van den Dikkenberg
key export completed in 0 seconds.

Key export prints the keys that need to be submitted to the parent zone
and are not ds-seen yet. So if it would say "waiting for ds-seen" your
key export would also show you the DNSKEY record.

Documentation could be clearer on this and the command line interface
isn't always intuitive. We need to be careful on changing this though.

\Berry

Post by Bas van den Dikkenberg
hccregiodagen.nl KSK active 2016-11-19 17:57:43
hccregiodagen.nl ZSK active 2016-11-19 17:57:43
linuxthemadag.nl KSK active 2016-11-19 17:57:43
linuxthemadag.nl ZSK active 2016-11-19 17:57:43
software-freedom-day.nl KSK active 2016-11-19 17:57:43
software-freedom-day.nl ZSK active 2016-11-19 17:57:43
offline.hobby.nl KSK active 2016-11-19 17:01:03
offline.hobby.nl ZSK active 2016-11-19 17:01:03
test.local KSK active 2016-11-19 19:42:42
test.local ZSK active 2016-11-19 19:42:42
231.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
231.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
230.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
230.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
228.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
228.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
226.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
226.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
225.72.212.in-addr.arpa KSK active 2016-11-19 17:06:03
225.72.212.in-addr.arpa ZSK active 2016-11-19 17:06:03
key list completed in 0 seconds.
What am I doing wrong ?
Bas
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

--
N: (Berry) A.W. van Halderen
E: ***@nlnetlabs.nl
O: NLnet Labs
W: http://www.nlnetlabs.nl/

Casper Gielen

2016-11-22 13:21:55 UTC

Permalink

Post by (Berry) A.W. van Halderen

Post by Bas van den Dikkenberg
key export completed in 0 seconds.

Key export prints the keys that need to be submitted to the parent zone
and are not ds-seen yet. So if it would say "waiting for ds-seen" your
key export would also show you the DNSKEY record.
Documentation could be clearer on this and the command line interface
isn't always intuitive. We need to be careful on changing this though.

If you really want to see all the keys you will have to ask for them specifically:

for state in GENERATE PUBLISH READY ACTIVE RETIRE DEAD DSSUB DSPUBLISH DSREADY KEYPUBLISH;
do
ods-ksmutil key export --keystate $state
done

For monitoring purposes it's nice to be able the get all the keys available.