[Opendnssec-user] Signature failed to cryptographically verify

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Jun 4 14:11:08 UTC 2014

Hi Gilles,

On 04-06-14 15:24, Gilles Massen wrote:
> Hi,
>> Roughly: you should be able to run ods-signerd with a single run and a
>> specific config file:
>> 1. Create a new conf.xml, probably using some different file locations.
>> 2. Make a signer configuration file signconf.xml for a zone, referencing
>> the specific locator of the key.
>> 3. Run 'ods-signerd -c conf.xml -1' (different cfg, single run)
> I try to get this to work, but have a few problems. So far I made a copy
> of the setup, adapted conf.xml, stripped the zonelist.xml down to a
> single zone and removed everything but a KSK and the possibly broken ZSK
> from signconf/.xml.

> Note: the KSK was previously active, while the ZSK was retired.

When the ZSK is retired, the signer will not create new signatures
anymore. You should probably add the <ZSK/> flag in the <key> section.

> Now the signer does produce a zone, but signs only the DNSKEY RRset with
> the KSK, and no other record. So the ZSK is not used (but the signer
> does not complain, even with multiple -v).

The signconf has no active ZSK configured, so the signer does not create
ZSK signatures.

> So what am I missing? Does the signer read the kasp.db? (I made the old
> ZSK active in the kasp.db, just in case, but that does not seem to
> help). What am I missing?

The signer does not read kasp.db, it's an enforcer thingy. The signer
gets its configuration from the signconf xml file.

> BTW: is there a way to tell the signer where to put his PID?

Just introduced in 1.3.17: <PidFile> :) (and soon to be in 1.4.6 too).

Best regards,

> best,
> Gilles

More information about the Opendnssec-user mailing list