12010-10-21 14:01:35.486: debug: Check RFC5011 status 22010-10-21 14:01:35.486: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 32010-10-21 14:01:35.486: debug: Check KSK status 42010-10-21 14:01:35.486: debug: Check ZSK status 52010-10-21 14:01:35.486: debug: No active ZSK found: generate new one 62010-10-21 14:01:35.495: error: sub.example.net.": can't generate new ZSK 72010-10-21 14:01:35.495: debug: Re-signing necessary: Modfied zone key set 82010-10-21 14:01:35.496: notice: "sub.example.net.": re-signing triggered: Modfied zone key set 92010-10-21 14:01:35.496: debug: Writing key file "./sub.example.net/dnskey.db" 102010-10-21 14:01:35.496: debug: Incrementing serial number in file "./sub.example.net/zone.db" 112010-10-21 14:01:35.496: debug: Signing zone "sub.example.net." 122010-10-21 14:01:35.496: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9FC981 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 132010-10-21 14:01:35.546: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed." 142010-10-21 14:01:35.546: error: "sub.example.net.": signing failed! 152010-10-21 14:02:09.146: debug: Check RFC5011 status 162010-10-21 14:02:09.146: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 172010-10-21 14:02:09.146: debug: Check KSK status 182010-10-21 14:02:09.146: debug: Check ZSK status 192010-10-21 14:02:09.146: debug: No active ZSK found: generate new one 202010-10-21 14:02:09.156: error: sub.example.net.": can't generate new ZSK 212010-10-21 14:02:09.156: debug: Re-signing necessary: Modified keys 222010-10-21 14:02:09.156: notice: "sub.example.net.": re-signing triggered: Modified keys 232010-10-21 14:02:09.156: debug: Writing key file "./sub.example.net/dnskey.db" 242010-10-21 14:02:09.157: debug: Incrementing serial number in file "./sub.example.net/zone.db" 252010-10-21 14:02:09.157: debug: Signing zone "sub.example.net." 262010-10-21 14:02:09.157: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 BD326D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 272010-10-21 14:02:09.208: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed." 282010-10-21 14:02:09.208: error: "sub.example.net.": signing failed! 292010-10-21 14:05:35.988: debug: Check RFC5011 status 302010-10-21 14:05:35.988: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 312010-10-21 14:05:35.988: debug: Check KSK status 322010-10-21 14:05:35.988: debug: Check ZSK status 332010-10-21 14:05:35.988: debug: No active ZSK found: generate new one 342010-10-21 14:05:36.091: info: "sub.example.net.": generated new ZSK 7987 352010-10-21 14:05:36.091: debug: Re-signing necessary: Modfied zone key set 362010-10-21 14:05:36.091: notice: "sub.example.net.": re-signing triggered: Modfied zone key set 372010-10-21 14:05:36.091: debug: Writing key file "./sub.example.net/dnskey.db" 382010-10-21 14:05:36.091: debug: Incrementing serial number in file "./sub.example.net/zone.db" 392010-10-21 14:05:36.091: debug: Signing zone "sub.example.net." 402010-10-21 14:05:36.091: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 75DE06 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 412010-10-21 14:05:36.170: debug: Cmd dnssec-signzone return: "zone.db.signed" 422010-10-21 14:05:36.170: debug: Signing completed after 0s. 432010-10-21 14:30:43.892: debug: Check RFC5011 status 442010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 452010-10-21 14:30:43.892: debug: Check KSK status 462010-10-21 14:30:43.892: debug: Check ZSK status 472010-10-21 14:30:43.892: debug: Re-signing not necessary! 482010-10-21 14:30:43.892: debug: Check if there is a parent file to copy 492014-11-14 18:04:37.686: debug: Check RFC5011 status 502014-11-14 18:04:37.686: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 512014-11-14 18:04:37.686: debug: Check KSK status 522014-11-14 18:04:37.686: warning: "sub.example.net.": lifetime of key signing key 33176 exceeded since 4d8h26m2s 532014-11-14 18:04:37.686: debug: Check ZSK status 542014-11-14 18:04:37.686: debug: Lifetime(259200 +/-150 sec) of active key 7987 exceeded (980762 sec) 552014-11-14 18:04:37.686: debug: ->waiting for published key 562014-11-14 18:04:37.686: notice: "sub.example.net.": lifetime of zone signing key 7987 exceeded since 1w1d8h26m2s: ZSK rollover deferred: waiting for published key 572014-11-14 18:04:37.686: debug: New ZSK for publishing needed 582014-11-14 18:04:37.721: debug: ->creating new key 39632 592014-11-14 18:04:37.721: info: "sub.example.net.": new zone signing key 39632 generated for publishing 602014-11-14 18:04:37.721: debug: Re-signing necessary: Modified zone key set 612014-11-14 18:04:37.721: notice: "sub.example.net.": re-signing triggered: Modified zone key set 622014-11-14 18:04:37.721: debug: Writing key file "./sub.example.net/dnskey.db" 632014-11-14 18:04:37.721: debug: Incrementing serial number in file "./sub.example.net/zone.db" 642014-11-14 18:04:37.721: debug: Signing zone "sub.example.net." 652014-11-14 18:04:37.722: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 97195D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 662014-11-14 18:04:37.729: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC-only DNSKEY" 672014-11-14 18:04:37.729: error: "sub.example.net.": signing failed! 682014-11-14 18:09:16.251: debug: Check RFC5011 status 692014-11-14 18:09:16.251: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 702014-11-14 18:09:16.251: debug: Check KSK status 712014-11-14 18:09:16.251: debug: No active KSK found: generate new one 722014-11-14 18:09:16.288: info: "sub.example.net.": generated new KSK 60396 732014-11-14 18:09:16.288: debug: Check ZSK status 742014-11-14 18:09:16.288: debug: No active ZSK found: generate new one 752014-11-14 18:09:16.329: info: "sub.example.net.": generated new ZSK 21503 762014-11-14 18:09:16.329: debug: Re-signing necessary: Modified zone key set 772014-11-14 18:09:16.329: notice: "sub.example.net.": re-signing triggered: Modified zone key set 782014-11-14 18:09:16.329: debug: Writing key file "./sub.example.net/dnskey.db" 792014-11-14 18:09:16.330: debug: Incrementing serial number in file "./sub.example.net/zone.db" 802014-11-14 18:09:16.330: debug: Signing zone "sub.example.net." 812014-11-14 18:09:16.330: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B26BB7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 822014-11-14 18:09:16.427: debug: Cmd dnssec-signzone return: "zone.db.signed" 832014-11-14 18:09:16.427: debug: Signing completed after 0s. 842014-11-14 18:11:40.699: debug: Check RFC5011 status 852014-11-14 18:11:40.699: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 862014-11-14 18:11:40.699: debug: Check KSK status 872014-11-14 18:11:40.699: debug: Check ZSK status 882014-11-14 18:11:40.699: debug: Re-signing necessary: Modified keys 892014-11-14 18:11:40.699: notice: "sub.example.net.": re-signing triggered: Modified keys 902014-11-14 18:11:40.699: debug: Writing key file "././sub.example.net/dnskey.db" 912014-11-14 18:11:40.699: debug: Incrementing serial number in file "././sub.example.net/zone.db" 922014-11-14 18:11:40.699: debug: Signing zone "sub.example.net." 932014-11-14 18:11:40.699: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 E8CBA9 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 942014-11-14 18:11:40.876: debug: Cmd dnssec-signzone return: "zone.db.signed" 952014-11-14 18:11:40.876: debug: Signing completed after 0s. 962014-11-14 18:11:46.599: debug: Check RFC5011 status 972014-11-14 18:11:46.599: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 982014-11-14 18:11:46.599: debug: Check KSK status 992014-11-14 18:11:46.599: debug: Check ZSK status 1002014-11-14 18:11:46.599: debug: Re-signing not necessary! 1012014-11-14 18:11:46.599: debug: Check if there is a parent file to copy 1022014-11-14 18:15:54.379: debug: Check RFC5011 status 1032014-11-14 18:15:54.379: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1042014-11-14 18:15:54.379: debug: Check KSK status 1052014-11-14 18:15:54.379: debug: Check ZSK status 1062014-11-14 18:15:54.379: debug: Re-signing not necessary! 1072014-11-14 18:15:54.379: debug: Check if there is a parent file to copy 1082014-11-14 18:31:09.365: debug: Check RFC5011 status 1092014-11-14 18:31:09.365: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1102014-11-14 18:31:09.365: debug: Check KSK status 1112014-11-14 18:31:09.365: debug: Check ZSK status 1122014-11-14 18:31:09.365: debug: Re-signing not necessary! 1132014-11-14 18:31:09.365: debug: Check if there is a parent file to copy 1142014-11-14 18:31:27.335: debug: Check RFC5011 status 1152014-11-14 18:31:27.335: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1162014-11-14 18:31:27.335: debug: Check KSK status 1172014-11-14 18:31:27.335: debug: Check ZSK status 1182014-11-14 18:31:27.335: debug: Re-signing not necessary! 1192014-11-14 18:31:27.335: debug: Check if there is a parent file to copy 1202014-11-14 18:38:16.355: debug: Check RFC5011 status 1212014-11-14 18:38:16.355: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1222014-11-14 18:38:16.355: debug: Check KSK status 1232014-11-14 18:38:16.355: debug: Check ZSK status 1242014-11-14 18:38:16.355: debug: Re-signing not necessary! 1252014-11-14 18:38:16.356: debug: Check if there is a parent file to copy 1262014-11-15 18:16:50.447: debug: Check RFC5011 status 1272014-11-15 18:16:50.447: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1282014-11-15 18:16:50.447: debug: Check KSK status 1292014-11-15 18:16:50.447: debug: Check ZSK status 1302014-11-15 18:16:50.447: debug: Re-signing necessary: re-signing interval (1d) reached 1312014-11-15 18:16:50.447: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached 1322014-11-15 18:16:50.447: debug: Writing key file "././sub.example.net/dnskey.db" 1332014-11-15 18:16:50.447: debug: Incrementing serial number in file "././sub.example.net/zone.db" 1342014-11-15 18:16:50.447: debug: Signing zone "sub.example.net." 1352014-11-15 18:16:50.448: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 DC5680 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 1362014-11-15 18:16:50.572: debug: Cmd dnssec-signzone return: "zone.db.signed" 1372014-11-15 18:16:50.572: debug: Signing completed after 0s. 1382014-11-15 18:16:54.202: debug: Check RFC5011 status 1392014-11-15 18:16:54.202: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1402014-11-15 18:16:54.202: debug: Check KSK status 1412014-11-15 18:16:54.202: debug: Check ZSK status 1422014-11-15 18:16:54.202: debug: Re-signing not necessary! 1432014-11-15 18:16:54.202: debug: Check if there is a parent file to copy 1442014-11-15 18:17:06.918: debug: Check RFC5011 status 1452014-11-15 18:17:06.918: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1462014-11-15 18:17:06.918: debug: Check KSK status 1472014-11-15 18:17:06.918: debug: Check ZSK status 1482014-11-15 18:17:06.918: debug: Re-signing not necessary! 1492014-11-15 18:17:06.918: debug: Check if there is a parent file to copy 1502014-11-15 18:17:17.242: debug: Check RFC5011 status 1512014-11-15 18:17:17.242: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1522014-11-15 18:17:17.242: debug: Check KSK status 1532014-11-15 18:17:17.242: debug: Check ZSK status 1542014-11-15 18:17:17.242: debug: Re-signing not necessary! 1552014-11-15 18:17:17.242: debug: Check if there is a parent file to copy 1562014-11-17 19:12:44.029: debug: Check RFC5011 status 1572014-11-17 19:12:44.029: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1582014-11-17 19:12:44.029: debug: Check KSK status 1592014-11-17 19:12:44.029: debug: Check ZSK status 1602014-11-17 19:12:44.029: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263008 sec) 1612014-11-17 19:12:44.029: debug: ->waiting for published key 1622014-11-17 19:12:44.029: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m28s: ZSK rollover deferred: waiting for published key 1632014-11-17 19:12:44.029: debug: New ZSK for publishing needed 1642014-11-17 19:12:44.110: debug: ->creating new key 53867 1652014-11-17 19:12:44.110: info: "sub.example.net.": new zone signing key 53867 generated for publishing 1662014-11-17 19:12:44.110: debug: Re-signing necessary: Modified zone key set 1672014-11-17 19:12:44.110: notice: "sub.example.net.": re-signing triggered: Modified zone key set 1682014-11-17 19:12:44.110: debug: Writing key file "./sub.example.net/dnskey.db" 1692014-11-17 19:12:44.111: debug: Incrementing serial number in file "./sub.example.net/zone.db" 1702014-11-17 19:12:44.111: debug: Signing zone "sub.example.net." 1712014-11-17 19:12:44.111: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9F5882 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" 1722014-11-17 19:12:44.250: debug: Cmd dnssec-signzone return: "zone.db.signed" 1732014-11-17 19:12:44.250: debug: Signing completed after 0s. 1742014-11-17 19:12:49.691: debug: Check RFC5011 status 1752014-11-17 19:12:49.691: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1762014-11-17 19:12:49.691: debug: Check KSK status 1772014-11-17 19:12:49.691: debug: Check ZSK status 1782014-11-17 19:12:49.691: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263013 sec) 1792014-11-17 19:12:49.691: debug: ->waiting for published key 1802014-11-17 19:12:49.691: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m33s: ZSK rollover deferred: waiting for published key 1812014-11-17 19:12:49.692: debug: Re-signing not necessary! 1822014-11-17 19:12:49.692: debug: Check if there is a parent file to copy 1832014-11-17 19:13:02.603: debug: Check RFC5011 status 1842014-11-17 19:13:02.603: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1852014-11-17 19:13:02.603: debug: Check KSK status 1862014-11-17 19:13:02.603: debug: Check ZSK status 1872014-11-17 19:13:02.603: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263026 sec) 1882014-11-17 19:13:02.603: debug: ->waiting for published key 1892014-11-17 19:13:02.603: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m46s: ZSK rollover deferred: waiting for published key 1902014-11-17 19:13:02.603: debug: Re-signing not necessary! 1912014-11-17 19:13:02.603: debug: Check if there is a parent file to copy 1922014-11-17 19:13:50.409: debug: Check RFC5011 status 1932014-11-17 19:13:50.409: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 1942014-11-17 19:13:50.409: debug: Check KSK status 1952014-11-17 19:13:50.409: debug: Check ZSK status 1962014-11-17 19:13:50.409: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263074 sec) 1972014-11-17 19:13:50.409: debug: ->waiting for published key 1982014-11-17 19:13:50.409: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m34s: ZSK rollover deferred: waiting for published key 1992014-11-17 19:13:50.409: debug: Re-signing not necessary! 2002014-11-17 19:13:50.409: debug: Check if there is a parent file to copy 2012014-11-17 19:13:54.302: debug: Check RFC5011 status 2022014-11-17 19:13:54.302: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 2032014-11-17 19:13:54.302: debug: Check KSK status 2042014-11-17 19:13:54.302: debug: Check ZSK status 2052014-11-17 19:13:54.302: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263078 sec) 2062014-11-17 19:13:54.302: debug: ->waiting for published key 2072014-11-17 19:13:54.302: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m38s: ZSK rollover deferred: waiting for published key 2082014-11-17 19:13:54.302: debug: Re-signing not necessary! 2092014-11-17 19:13:54.302: debug: Check if there is a parent file to copy 2102014-11-17 19:14:01.845: debug: Check RFC5011 status 2112014-11-17 19:14:01.846: debug: ->not a rfc5011 zone, looking for a regular ksk rollover 2122014-11-17 19:14:01.846: debug: Check KSK status 2132014-11-17 19:14:01.846: debug: Check ZSK status 2142014-11-17 19:14:01.846: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263085 sec) 2152014-11-17 19:14:01.846: debug: ->waiting for published key 2162014-11-17 19:14:01.846: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m45s: ZSK rollover deferred: waiting for published key 2172014-11-17 19:14:01.846: debug: Re-signing not necessary! 2182014-11-17 19:14:01.846: debug: Check if there is a parent file to copy 219