<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Mark and David,</div><div><br></div><div>All the problems you have reported points to issues with your HSM rather then a problem with OpenDNSSEC.</div>
<div><br></div><div>OpenDNSSEC can not recover from a state where the key was successfully created but is now missing in the HSM.</div><div><br></div><div>If this is a test environment then you should test your setup with SoftHSM to just verify that your setup works and that there isnt any strange hardware problem.</div>
<div><br></div><div>If this is your production environment I would suggest going unsigned until these problems have been resolved.<br><br>I also suggest that you contact your HSM provider, maybe they can provide you with tools to debug the HSM so you can begin to locate the issue.</div>
<div><br></div><div>Regards,</div><div>Jerry</div><div><br><span style="background-color:rgba(255,255,255,0)">-- <br>Jerry Lundström - OpenDNSSEC Developer<br><a href="http://www.opendnssec.org/" target="_blank">http://www.opendnssec.org/</a></span></div>
<div><br>On 10 jun 2014, at 16:40, David Peall <<a href="mailto:david@dnservices.co.za">david@dnservices.co.za</a>> wrote:<br><br></div><blockquote type="cite"><div><span>Trying a key rollover I get the following:</span><br>
<span>ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository.</span><br><span></span><br><span>Run as the opendnssec user:</span><br><span>ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851 </span><br>
<span>thales 85d783cf86e25fe6c9bce3cbac1cf851 RSA/2048 </span><br><span></span><br><span>Something hinky going on?</span><br><span></span><br><span>Regards</span><br><span>—</span><br><span>David Peall</span><br>
<span></span><br><span>On 10 Jun 2014, at 4:22 PM, David Peall <<a href="mailto:david@dnservices.co.za">david@dnservices.co.za</a>> wrote:</span><br><span></span><br><blockquote type="cite"><span>Hi All</span><br></blockquote>
<blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>As Mark has said logged in as the signer user we are able to list the “missing” key.</span><br></blockquote><blockquote type="cite"><span><zone> KSK active 2015-06-10 15:19:39 (retire) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664</span><br>
</blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Anything else we can try look for?</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite">
<span>Regards</span><br></blockquote><blockquote type="cite"><span>—</span><br></blockquote><blockquote type="cite"><span>David Peall</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite">
<span>On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <<a href="mailto:sion@nominet.org.uk">sion@nominet.org.uk</a>> wrote:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite">
<blockquote type="cite"><span>On 09/06/14 11:30, David Peall wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote>
<blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>But then:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found</span><br>
</blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey</span><br></blockquote>
</blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)</span><br></blockquote>
</blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">
<span>But: </span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>ods-ksmutil key list --verbose</span><br></blockquote></blockquote></blockquote><blockquote type="cite">
<blockquote type="cite"><blockquote type="cite"><span>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</span><br>
</blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span><zone> KSK publish 2014-06-10 02:17:13 (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664</span><br>
</blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">
<span>Is this because the key is not active? is this a bug?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Hi David,</span><br></blockquote></blockquote><blockquote type="cite">
<blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>The state of the key is not causing this... Does the signer run as the</span><br></blockquote></blockquote>
<blockquote type="cite"><blockquote type="cite"><span>same user/group as the enforcer?</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite">
<blockquote type="cite"><blockquote type="cite"><span>Also get this:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next</span><br>
</blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br>
</blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>This is just a warning that you have to wait for the KSK and signatures</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">
<span>to propagate before the key is considered "ACTIVE". The wording is not</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>ideal for the initial signing situation, but makes more sense when</span><br>
</blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>describing subsequent rolls.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote>
</blockquote><blockquote type="cite"><blockquote type="cite"><span>Sion</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>_______________________________________________</span><br></blockquote>
</blockquote><blockquote type="cite"><blockquote type="cite"><span>Opendnssec-user mailing list</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span><a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a></span><br>
</blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span><a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a></span><br>
</blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>Opendnssec-user mailing list</span><br>
</blockquote><blockquote type="cite"><span><a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a></span><br></blockquote><blockquote type="cite"><span><a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a></span><br>
</blockquote><span></span><br></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Opendnssec-user mailing list</span><br><span><a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a></span><br>
<span><a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a></span><br></div></blockquote></body></html>