[Opendnssec-user] Signature failed to cryptographically verify
Gilles Massen
gilles.massen at restena.lu
Wed Jun 4 14:32:22 UTC 2014
Hi Matthijs,
>> Note: the KSK was previously active, while the ZSK was retired.
>
> When the ZSK is retired, the signer will not create new signatures
> anymore. You should probably add the <ZSK/> flag in the <key> section.
That's what I was missing. Thanks, I'll try that!
>> So what am I missing? Does the signer read the kasp.db? (I made the old
>> ZSK active in the kasp.db, just in case, but that does not seem to
>> help). What am I missing?
>
> The signer does not read kasp.db, it's an enforcer thingy. The signer
> gets its configuration from the signconf xml file.
ok, thanks for confirming.
>> BTW: is there a way to tell the signer where to put his PID?
>
> Just introduced in 1.3.17: <PidFile> :) (and soon to be in 1.4.6 too).
Great :) I will not upgrade straight away (just in case my issue had its
roots in 1.3.14), but it will come handy.
I'll try these tomorrow, have a train to catch :)
cheers,
Gilles
More information about the Opendnssec-user
mailing list