[Opendnssec-user] adding a zone, key processing fails

Tom Hendrikx tom at whyscream.net
Fri Dec 10 11:19:05 UTC 2010 

Hi

After setting up a new instance of opendnssec, I'm having some issues
when adding  new zones. This is with opendnssec-1.2.0rc2 (initial
install was 1.2.0rc1 so no 1.1->1.2. db conversion needed) and softhsm
1.20 as the pkcs#11 provider.

I raise signer logging verbosity to 6 (after some earlier mostly
non-related thread), add a zone with "ods-ksmutil zone add --zone $zone
--policy $policy" which generates no output in the syslog. Then I wait
until the enforcer comes by on its regular interval.

After the first run, ods-ksmutil key list -v shows:

example.com                     KSK           publish   2010-12-10
14:46:22       42c301bb477f383991323c08c02d40dc  SoftHSM NOT IN repository
example.com                     ZSK           active    2011-01-09
11:46:22       f349cc85e0e1823f511f2467af4e75ff  SoftHSM NOT IN repository

And logging reveals:

2010-12-10T11:46:22+0100 [ods-signerd] publish dnskeys to zone example.com
2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file
example.com.dnskeys for writing
2010-12-10T11:46:22+0100 [ods-signerd] could not find key
42c301bb477f383991323c08c02d40dc
2010-12-10T11:46:22+0100 [ods-signerd] error creating DNSKEY for key
42c301bb477f383991323c08c02d40dc
2010-12-10T11:46:22+0100 [ods-signerd] error adding DNSKEYs to zone
example.com
2010-12-10T11:46:22+0100 [ods-signerd] task [add dnskeys to zone
example.com] failed

(Complete logs are attached)

I can reproduce this without any problems.

I also just noticed that the key id (42c301bb477f383991323c08c02d40dc)
keeps coming back. I can remove a zone (ods-ksmutil zone delete) that
has this issue, remove all related files from /var/lib/opendnssec and
restart the suite. When I add a new zone with that was never used before
(example.com), the signer comes back again with this same key id.

Another note is that when I try to remove the broken zone, I receive an
error that seems to indicate that the database is not correctly setup:

ods-ksmutil zone delete --zone example.com
SQLite database set to: /var/lib/opendnssec/kasp.db
zonelist filename set to /etc/opendnssec/zonelist.xml.
ERROR: error executing SQL - no such column: STATE
Zone list updated: 1 removed, 0 added, 0 updated.
Configurations updated: 0; errors: 0; unchanged: 1.

So, how do I recover from this issue? Note that there is a production
zone (however not very important) currently being signed by this setup
correctly, so starting from scratch is really a last resort.

--
Regards,
	Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ods.log
Type: text/x-log
Size: 10363 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101210/1dc26b5a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101210/1dc26b5a/attachment-0001.bin>

More information about the Opendnssec-user mailing list