[Opendnssec-user] keys NOT IN repository

Siôn Lloyd sion at nominet.org.uk
Fri Dec 19 08:37:16 UTC 2014


<snip>

> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created key in repository
> Keyper
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created ZSK size: 1024,
> alg: 8 with id: 6833a76d1e0834504e43c1ae47b66646 in repository: Keyper
> and database.

<snip>

> And my question is if there was a problem to create the keys in the HSM,
> why are they created out of it? Isn't it better if the process just
> stops? And where the keys actually exist if not in the repository? They
> idea was to use ODS always with HSM.
> Thanks.

So it looks like the enforcer believed that the keys were properly
created in the HSM. But then when it comes time to use the keys (either
"key list -v" or signing) they can not be found...

Note that the HSM is the _only_ place that the keys can be created;
there is no fall-back to softHSM or keys on disk. So what this message
means is that the enforcers database is referring to keys that do not
exist at all. (Or at least the system can not access them for some reason.)

Do other tools show if the keys exist or not?

Sion



More information about the Opendnssec-user mailing list