[Opendnssec-user] signer does not find a key
shlyoko at gmail.com
Tue Dec 16 07:54:42 UTC 2014
I have a test environment with ODS 1.4.6 and Keyper HSM where signing zones
was working until I decided to remove all keys and start from scratch.
I removed all keys with "ods-hsmutil purge"\
reinitialized the HSM\
removed the single zone I used to sign\
reinitialized the database "ods-ksmutil setup"\
pregenerated new keys\
added a zone\
updated, restarted all services.
Everything seems to worked well, but the signer does not find one of the
keys to sign the zone, more specifically the KSK. I went the above process
few times, always ending with:
Dec 16 09:40:27 debugsigner002 ods-signerd: [hsm] unable to get key: key
f81e4b2cb33eec780320b6ceeb6f6bb8 not found
Dec 16 09:40:27 debugsigner002 ods-signerd: [zone] unable to publish
dnskeys for zone XXX: error creating dnskey
Dec 16 09:40:27 debugsigner002 ods-signerd: [tools] unable to read zone
XXX: failed to publish dnskeys (General error)
Dec 16 09:40:27 debugsigner002 ods-signerd: [worker] CRITICAL: failed to
sign zone XXX: General error
The key exist in both HSM and database. ods-hsmutil lists it:
root at debugsigner002:~# ods-hsmutil list | grep
Keyper f81e4b2cb33eec780320b6ceeb6f6bb8 RSA/2048
ods-ksmutil shows it:
root at debugsigner002:~# ods-ksmutil key list -v
Zone: Keytype: State: Date of next
transition (to): Size: Algorithm: CKA_ID:
XXX KSK active 2016-01-16
09:49:45 (retire) 2048 8 f81e4b2cb33eec780320b6ceeb6f6bb8
XXX ZSK active 2015-04-18
22:40:55 (retire) 1024 8 d2aa0ba9af0f41429d23ea387abb836a
external tools - dnssec-keyfromlabel can use it.
No other errors in the log.
Any ideas what's wrong? Suggestions what else to try?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user