[Opendnssec-user] Problem signing a zone

Siôn Lloyd sion at nominet.org.uk
Wed Jun 22 07:56:48 UTC 2011 

> Jun 21 06:23:51 ramanujan ods-enforcerd: Zone 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa found.
> Jun 21 06:23:51 ramanujan ods-enforcerd: Policy for 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa set to default.
> Jun 21 06:23:51 ramanujan ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa.xml.
> Jun 21 06:23:51 ramanujan ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone
> Jun 21 06:23:51 ramanujan ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set
> Jun 21 06:23:51 ramanujan ods-enforcerd: KsmRequestKeys returned: 65562
> Jun 21 06:23:51 ramanujan ods-enforcerd: Signconf not written for 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa
> Jun 21 06:50:34 ramanujan ods-auditor[20676]: Can't load 4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa SignerConfiguration file (/var/lib/opendnssec/signconf/4.1.0.0.0.0.1.6.0.1.0.

This is certainly a backup issue. You have a choice of requiring keys to 
be backed-up or not; and you are running such that non-backed up keys 
will not be used (this is the safer mode to be in). Because the backups 
are not under ODSs control the timings can not be factored in to key 
generation, so issues like this may happen between key generation and 
backup... I'll see if this led to the "not enough keys" error that you 
originally posted; and if so I'll fix that confusing message.

> I use SoftHSM which, as far as I know, has nor real limit, right now
> there are about 2500 keys in there. Nothing was logged besides statements
> from ODS that a new key was generated.
>
>

There is no physical limit other than the maximum file size of your FS, 
or maybe what sqlite can cope with. However you can set a soft limit in 
the repository section of conf.xml, this doesn't appear to be a factor 
in this case though.

Re: restarting the enforcer, currently adding a zone does not take 
immediate effect. You can HUP the enforcer by running "ods-control 
enforcer notify", or wait until it runs again according to its schedule.

Sion

More information about the Opendnssec-user mailing list