[Opendnssec-user] Signature failed to cryptographically verify

Gilles Massen gilles.massen at restena.lu
Wed Jun 4 14:32:22 UTC 2014

Hi Matthijs,

>> Note: the KSK was previously active, while the ZSK was retired.
> When the ZSK is retired, the signer will not create new signatures
> anymore. You should probably add the <ZSK/> flag in the <key> section.

That's what I was missing. Thanks, I'll try that!

>> So what am I missing? Does the signer read the kasp.db? (I made the old
>> ZSK active in the kasp.db, just in case, but that does not seem to
>> help). What am I missing?
> The signer does not read kasp.db, it's an enforcer thingy. The signer
> gets its configuration from the signconf xml file.

ok, thanks for confirming.

>> BTW: is there a way to tell the signer where to put his PID?
> Just introduced in 1.3.17: <PidFile> :) (and soon to be in 1.4.6 too).

Great :) I will not upgrade straight away (just in case my issue had its
roots in 1.3.14), but it will come handy.

I'll try these tomorrow, have a train to catch :)


More information about the Opendnssec-user mailing list