[Opendnssec-user] adding a zone, key processing fails

Sion Lloyd sion at nominet.org.uk
Mon Dec 13 09:02:15 UTC 2010


On Friday 10 Dec 2010 11:19:05 am Tom Hendrikx wrote:
> Hi

> After the first run, ods-ksmutil key list -v shows:
> 
> example.com                     KSK           publish   2010-12-10
> 14:46:22       42c301bb477f383991323c08c02d40dc  SoftHSM NOT IN repository
> example.com                     ZSK           active    2011-01-09
> 11:46:22       f349cc85e0e1823f511f2467af4e75ff  SoftHSM NOT IN repository

This message indicates that the key in the kasp database is not in the HSM... 
Was anything logged at the time that you added the new zone?

> I also just noticed that the key id (42c301bb477f383991323c08c02d40dc)
> keeps coming back. I can remove a zone (ods-ksmutil zone delete) that
> has this issue, remove all related files from /var/lib/opendnssec and
> restart the suite. When I add a new zone with that was never used before
> (example.com), the signer comes back again with this same key id.

Do you have shared keys turned on? If so this could be related to that plus 
the error you have seen below.

> Another note is that when I try to remove the broken zone, I receive an
> error that seems to indicate that the database is not correctly setup:

This should be fixed in trunk. It might be worth building from trunk and 
removing the zone again.

> So, how do I recover from this issue? Note that there is a production
> zone (however not very important) currently being signed by this setup
> correctly, so starting from scratch is really a last resort.

I am not sure how this happened. After trying trunk the next thing I would do 
is use hsmutil to confirm that the keys really do not exist in the repository. 
Then see if anything was logged at the time that the new zone was added (and 
the first run of the enforcer after that) to say why key generation failed. If 
none of that turns up any useful information then if you send me (offlist) your 
kasp.db then I can see if I can work out how this happened, and how to fix it.

Sion



More information about the Opendnssec-user mailing list