[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Nov 19 09:19:18 UTC 2013
Update: we have found the problem.
The problem was, that the enforcer was running as user 'opendnssec' but
the signer ran as user 'root'. Therefore, the enforcer could not notify
the signer about the signconf update.
The relevant log message was "Could not call signer engine".
Obviously the signer re-reads the signconf not only on "update", but
also on restart. This makes sense, as the singer could have missed an
"update" while it was not running.
Thanks for the troubleshooting hints
Klaus
On 15.11.2013 13:42, Klaus Darilion wrote:
>
>
> On 14.11.2013 15:13, Matthijs Mekking wrote:
>> On 11/14/2013 02:26 PM, Klaus Darilion wrote:
>>
>>>>> Meanwhile I restarted the ods-signer daemon and after the next zone
>>>>> file
>>>>> update, ods signed with the correct key. So for now it is fixed,
>>>>> but do
>>>>> you have any ideas why the signer still used the old KSK after the KSK
>>>>> rollover?
>>>>
>>>> Can you perhaps provide logs (off list if you wish)?
>>>
>>> We have syslog logging, but this is rather quiet. Is there anything
>>> special for which I should look?
>>
>> I Just wanted to make sure no warnings or errors were logged.
>
> I just checked the logs. The enforcer logged the rollovers (eg. waiting
> for ds-seen, ...), but no errors or warnings. Also the signer did no
> logged any warnings/errors. We triggered both - a manual ZSK rollover,
> followed by a manual KSK rollover and both showed the same problem. The
> enforcer switched to the new key, but the signer still used the old key.
>
> I also checked the signed zone files (we backup them after every signing
> run): The new KSK and the new ZSK newer showed up in the zone file, only
> when I restarted the signer daemon, it switched from the old to the new
> keys.
>
> regards
> Klaus
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list