[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil
Matthijs Mekking
matthijs at nlnetlabs.nl
Tue Nov 19 13:54:20 UTC 2013
Hi Klaus,
I am glad you found the cause of the problem and shared this on the list.
Best regards,
Matthijs
On 11/19/2013 10:19 AM, Klaus Darilion wrote:
> Update: we have found the problem.
>
> The problem was, that the enforcer was running as user 'opendnssec' but
> the signer ran as user 'root'. Therefore, the enforcer could not notify
> the signer about the signconf update.
>
> The relevant log message was "Could not call signer engine".
>
> Obviously the signer re-reads the signconf not only on "update", but
> also on restart. This makes sense, as the singer could have missed an
> "update" while it was not running.
>
> Thanks for the troubleshooting hints
> Klaus
>
> On 15.11.2013 13:42, Klaus Darilion wrote:
>>
>>
>> On 14.11.2013 15:13, Matthijs Mekking wrote:
>>> On 11/14/2013 02:26 PM, Klaus Darilion wrote:
>>>
>>>>>> Meanwhile I restarted the ods-signer daemon and after the next zone
>>>>>> file
>>>>>> update, ods signed with the correct key. So for now it is fixed,
>>>>>> but do
>>>>>> you have any ideas why the signer still used the old KSK after the
>>>>>> KSK
>>>>>> rollover?
>>>>>
>>>>> Can you perhaps provide logs (off list if you wish)?
>>>>
>>>> We have syslog logging, but this is rather quiet. Is there anything
>>>> special for which I should look?
>>>
>>> I Just wanted to make sure no warnings or errors were logged.
>>
>> I just checked the logs. The enforcer logged the rollovers (eg. waiting
>> for ds-seen, ...), but no errors or warnings. Also the signer did no
>> logged any warnings/errors. We triggered both - a manual ZSK rollover,
>> followed by a manual KSK rollover and both showed the same problem. The
>> enforcer switched to the new key, but the signer still used the old key.
>>
>> I also checked the signed zone files (we backup them after every signing
>> run): The new KSK and the new ZSK newer showed up in the zone file, only
>> when I restarted the signer daemon, it switched from the old to the new
>> keys.
>>
>> regards
>> Klaus
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list