[Opendnssec-develop] [OpenDNSSEC] #191: Signer does not log when a zone can't be signed due to errors

Tue Nov 2 10:51:12 UTC 2010

#191: Signer does not log when a zone can't be signed due to errors
-------------------+--------------------------------------------------------
Reporter:  roland  |       Owner:  mm            
    Type:  defect  |      Status:  new           
Priority:  major   |   Component:  Signer        
 Version:  1.1.1   |    Keywords:  signer,logging
-------------------+--------------------------------------------------------
 Today, we experienced a synchronisation problem with our HSMs (we have two
 that operate in high availability mode). The result of this is that some
 keys cannot be found. The signer reports this in the logs:

 Nov  2 00:45:12 rivest ods-signerd: create_dnskey stderr: Unable to find
 key with id 42abf624e0ad28c4f50f6e8f64734054
 Nov  2 00:45:12 rivest ods-signerd: Error: could not find key
 42abf624e0ad28c4f50f6e8f64734054
 Nov  2 00:45:12 rivest zone_reader: SSL cipher list set to AES256-SHA
 ...
 Nov  2 00:45:13 rivest ods-signerd: stderr from zone_reader: could not
 find key 42abf624e0ad28c4f50f6e8f64734054
 Nov  2 00:45:13 rivest ods-signerd: stderr from zone_reader: error
 creating DNSKEYs for zone 'surfnet.nl'
 Nov  2 00:45:13 rivest ods-signerd: stderr from zone_reader: Error, unable
 to publish DNSKEYs for zone surfnet.nl
 Nov  2 00:45:13 rivest ods-signerd: Nseccing failed
 ...

 The end result is that the signer cannot output a new signed zone. We only
 noticed this problem because our monitoring picked up that signatures were
 not being refreshed.

 It would be very helpful if the signer could *explicitly* log that it was
 unable to output a new signed zone rather than just reporting intermediate
 error messages like "Nseccing failed"

 Thanks in advance! Cheers, Roland.

-- 
Ticket URL: <http://trac.opendnssec.org/ticket/191>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC