[Opendnssec-user] Problem signing a zone

Casper Gielen c.gielen at uvt.nl
Tue Jun 21 10:53:47 UTC 2011


Op 21-06-11 09:46, Siôn Lloyd schreef:
> 
>>>> ods-ksmutil key generate --policy default --interval P1Y
>>
>> Unfortunately this does not solve the problem. If you are interested I
>> will send the configs to you by private mail. Thanks for looking into
>> this.
>>

This may have been the solution after all. The problem has resolved itself,
2 hours before I arrived at work. It's probably a combination of something I
tried yesterday (such as the command above) and cronjob. As backups are made
at 7:15 this is the obvious candidate.

With hindsight it may be the case that nothing is wrong and that it is a
matter of a confusing message and lack of experience on my side.


Jun 21 06:23:51 ramanujan ods-enforcerd: Zone 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa found.
Jun 21 06:23:51 ramanujan ods-enforcerd: Policy for 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa set to default.
Jun 21 06:23:51 ramanujan ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa.xml.
Jun 21 06:23:51 ramanujan ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone
Jun 21 06:23:51 ramanujan ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set
Jun 21 06:23:51 ramanujan ods-enforcerd: KsmRequestKeys returned: 65562
Jun 21 06:23:51 ramanujan ods-enforcerd: Signconf not written for 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa
Jun 21 06:50:34 ramanujan ods-auditor[20676]: Can't load 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa SignerConfiguration file (/var/lib/opendnssec/signconf/4.1.0.0.0.0.1.6.0.1.0.


Jun 21 07:24:07 ramanujan ods-enforcerd: Zone 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa found.
Jun 21 07:24:07 ramanujan ods-enforcerd: Policy for 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa set to default.
Jun 21 07:24:07 ramanujan ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa.xml.
Jun 21 07:24:07 ramanujan ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone

Jun 21 07:24:12 ramanujan ods-auditor[27038]: Auditor starting on 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa
Jun 21 07:24:12 ramanujan ods-auditor[27038]: SOA differs : from 2010070200 to 2011062100
Jun 21 07:24:12 ramanujan ods-auditor[27038]: Auditing 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa zone : NSEC3 SIGNED
Jun 21 07:24:12 ramanujan ods-auditor[27038]: Finished auditing 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa zone


>>
> 
> Is anything logged when the above command is run? Is it possible that
> the capacity of the HSM has been reached?

I use SoftHSM which, as far as I know, has nor real limit, right now
there are about 2500 keys in there. Nothing was logged besides statements
from ODS that a new key was generated.


> 
> If you send me (off list) your kasp.db I'll have a look and see if I can
> spot anything that might cause this.
> 

Thanks for the offer. The problem has been resolved. If you would still
want to receive the file out of personal interest let me know and I'll
send a copy.

-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110621/6358d883/attachment.bin>


More information about the Opendnssec-user mailing list