[Opendnssec-user] Problem signing a zone
sion at nominet.org.uk
Wed Jun 22 07:56:48 UTC 2011
> Jun 21 06:23:51 ramanujan ods-enforcerd: Zone 220.127.116.11.0.0.1.6.0.1.0.0.2.ip6.arpa found.
> Jun 21 06:23:51 ramanujan ods-enforcerd: Policy for 18.104.22.168.0.0.1.6.0.1.0.0.2.ip6.arpa set to default.
> Jun 21 06:23:51 ramanujan ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/22.214.171.124.0.0.1.6.0.1.0.0.2.ip6.arpa.xml.
> Jun 21 06:23:51 ramanujan ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone
> Jun 21 06:23:51 ramanujan ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set
> Jun 21 06:23:51 ramanujan ods-enforcerd: KsmRequestKeys returned: 65562
> Jun 21 06:23:51 ramanujan ods-enforcerd: Signconf not written for 126.96.36.199.0.0.1.6.0.1.0.0.2.ip6.arpa
> Jun 21 06:50:34 ramanujan ods-auditor: Can't load 188.8.131.52.0.0.1.6.0.1.0.0.2.ip6.arpa SignerConfiguration file (/var/lib/opendnssec/signconf/184.108.40.206.0.0.1.6.0.1.0.
This is certainly a backup issue. You have a choice of requiring keys to
be backed-up or not; and you are running such that non-backed up keys
will not be used (this is the safer mode to be in). Because the backups
are not under ODSs control the timings can not be factored in to key
generation, so issues like this may happen between key generation and
backup... I'll see if this led to the "not enough keys" error that you
originally posted; and if so I'll fix that confusing message.
> I use SoftHSM which, as far as I know, has nor real limit, right now
> there are about 2500 keys in there. Nothing was logged besides statements
> from ODS that a new key was generated.
There is no physical limit other than the maximum file size of your FS,
or maybe what sqlite can cope with. However you can set a soft limit in
the repository section of conf.xml, this doesn't appear to be a factor
in this case though.
Re: restarting the enforcer, currently adding a zone does not take
immediate effect. You can HUP the enforcer by running "ods-control
enforcer notify", or wait until it runs again according to its schedule.
More information about the Opendnssec-user