[Opendnssec-user] Re: ods-enforcerd: Error creating key in repository SoftHSM-KSK

Mark Elkins mje at posix.co.za
Sun Aug 31 16:08:13 UTC 2014


On Sun, 2014-08-31 at 15:54 +0000, Abdalmonem Tharwat Galila wrote:
> Thnx a bundle Jarno .
> I do not understand what opendnssec mean by : 
> 
> WARNING: New KSK has reached the ready state; please submit the DS for myTLD and use ods-ksmutil key ds-seen when the DS appears in the DNS.

OpenDNSSEC has created a new KSK and its been in "xn--wgbh1c" long
enough to be properly propagated - so anyone doing a query for a KSK in
your zone should find it.

The DS record(s) for this KSK now need to be put in your zone's Parent.
Once these DS record(s) have been there long enough to be SEEN by anyone
looking, you should then inform OpenDNSSEC that the DS has been SEEN
(ds-seen). This allows OpenDNSSEC to proceed.




> Also when i run ods-ksmutil key list --verbose , i got that 
> 
> SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
> xn--wgbh1c                      KSK           ready     waiting for ds-seen (active)   2048    8           105f92815149413be458e05138ba734f  SoftHSM-KSK                       60047
> xn--wgbh1c                      ZSK           active    2014-08-31 20:26:54 (retire)   1024    8           91a2aa128ce554f23453dec10ce9833b  SoftHSM-ZSK                       56364
> 
> What does waiting for ds-seen (active) ?
> 
> thnx again for all your support
> 
>  
> ________________________________________
> From: Jarno Huuskonen [jarno.huuskonen at uef.fi]
> Sent: Sunday, August 31, 2014 4:32 PM
> To: Abdalmonem Tharwat Galila
> Cc: opendnssec-user at lists.opendnssec.org
> Subject: Re: [Opendnssec-user] Re: ods-enforcerd: Error creating key in repository SoftHSM-KSK
> 
> Hi,
> 
> On Sun, Aug 31, Abdalmonem Tharwat Galila wrote:
> > >> What do you have in softhsm.conf (/etc/softhsm.conf) ?
> >
> > 0:/var/softhsm/slot0.db
> > 1:/var/softhsm/slot1.db
> > 2:/var/softhsm/slot2.db
> >
> > >> Is the user account used for ods-enforcerd able to access the files defined in softhsm.conf (can change to the directory and read/write the files).
> >
> > How to get that user , you are talking about ?
> 
> What do you have in your opendnssec conf.xml
> (/etc/opendnssec/conf.xml?):
> 
> Do you have something like:
>         <Enforcer>
>                 <Privileges>
>                         <User>ods</User>
>                         <Group>ods</Group>
>                 </Privileges>
> 
> and something similar for <Signer> ?
> 
> So assuming you have <User>ods</User> can you try for example:
> su - -s/bin/bash ods
> and after su (as user ods)
> cd /var/softhsm
> ls -l slot*.db
> ls -l .
> 
> Also after su can you check that your /var/named/zones/conf/ is
> accessible:
> (ls -l /var/named/zones/conf)
> and
> cd /var/named/zones/conf # if you get permission denied then
> check that /var/named, /var/named/zones and /var/named/zones/conf
> permissions allow access (for example ls -l).
> 
> -Jarno
> 
> --
> Jarno Huuskonen
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140831/94630198/attachment.bin>


More information about the Opendnssec-user mailing list