[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil

Klaus Darilion klaus.mailinglists at pernau.at
Tue Nov 19 09:19:18 UTC 2013


Update: we have found the problem.

The problem was, that the enforcer was running as user 'opendnssec' but 
the signer ran as user 'root'. Therefore, the enforcer could not notify 
the signer about the signconf update.

The relevant log message was "Could not call signer engine".

Obviously the signer re-reads the signconf not only on "update", but 
also on restart. This makes sense, as the singer could have missed an 
"update" while it was not running.

Thanks for the troubleshooting hints
Klaus

On 15.11.2013 13:42, Klaus Darilion wrote:
>
>
> On 14.11.2013 15:13, Matthijs Mekking wrote:
>> On 11/14/2013 02:26 PM, Klaus Darilion wrote:
>>
>>>>> Meanwhile I restarted the ods-signer daemon and after the next zone
>>>>> file
>>>>> update, ods signed with the correct key. So for now it is fixed,
>>>>> but do
>>>>> you have any ideas why the signer still used the old KSK after the KSK
>>>>> rollover?
>>>>
>>>> Can you perhaps provide logs (off list if you wish)?
>>>
>>> We have syslog logging, but this is rather quiet. Is there anything
>>> special for which I should look?
>>
>> I Just wanted to make sure no warnings or errors were logged.
>
> I just checked the logs. The enforcer logged the rollovers (eg. waiting
> for ds-seen, ...), but no errors or warnings. Also the signer did no
> logged any warnings/errors. We triggered both - a manual ZSK rollover,
> followed by a manual KSK rollover and both showed the same problem. The
> enforcer switched to the new key, but the signer still used the old key.
>
> I also checked the signed zone files (we backup them after every signing
> run): The new KSK and the new ZSK newer showed up in the zone file, only
> when I restarted the signer daemon, it switched from the old to the new
> keys.
>
> regards
> Klaus
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user



More information about the Opendnssec-user mailing list