[Opendnssec-user] signer does not find a key

Emil Natan shlyoko at gmail.com
Tue Dec 16 07:54:42 UTC 2014


Good morning,

I have a test environment with ODS 1.4.6 and Keyper HSM where signing zones
was working until I decided to remove all keys and start from scratch.
I removed all keys with "ods-hsmutil purge"\
reinitialized the HSM\
removed the single zone I used to sign\
reinitialized the database "ods-ksmutil setup"\
pregenerated new keys\
added a zone\
updated, restarted all services.
Everything seems to worked well, but the signer does not find one of the
keys to sign the zone, more specifically the KSK. I went the above process
few times, always ending with:

Dec 16 09:40:27 debugsigner002 ods-signerd: [hsm] unable to get key: key
f81e4b2cb33eec780320b6ceeb6f6bb8 not found
Dec 16 09:40:27 debugsigner002 ods-signerd: [zone] unable to publish
dnskeys for zone XXX: error creating dnskey
Dec 16 09:40:27 debugsigner002 ods-signerd: [tools] unable to read zone
XXX: failed to publish dnskeys (General error)
Dec 16 09:40:27 debugsigner002 ods-signerd: [worker[4]] CRITICAL: failed to
sign zone XXX: General error

The key exist in both HSM and database. ods-hsmutil lists it:

root at debugsigner002:~# ods-hsmutil list | grep
f81e4b2cb33eec780320b6ceeb6f6bb8
Keyper                f81e4b2cb33eec780320b6ceeb6f6bb8  RSA/2048

ods-ksmutil shows it:

root at debugsigner002:~# ods-ksmutil key list -v
Keys:
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
Repository:                       Keytag:
XXX                              KSK           active    2016-01-16
09:49:45 (retire)   2048    8           f81e4b2cb33eec780320b6ceeb6f6bb8
 Keyper                            6061
XXX                              ZSK           active    2015-04-18
22:40:55 (retire)   1024    8           d2aa0ba9af0f41429d23ea387abb836a
 Keyper

external tools - dnssec-keyfromlabel can use it.
No other errors in the log.

Any ideas what's wrong? Suggestions what else to try?
Thanks.

Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141216/5f7865dc/attachment.htm>


More information about the Opendnssec-user mailing list