[Opendnssec-user] Key not found

David Peall david at dnservices.co.za
Mon Jun 9 10:30:22 UTC 2014 

After fixing the permissions for key creation I get the following:

ods-enforcerd: 1 zone(s) found on policy "default"
ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(1) - keys_available(0).
ods-enforcerd: Created key in repository thales
ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 994410881c1e66e2d075ed1ed1756679 in repository: thales and database.
ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(1) - keys_available(0).
ods-enforcerd: Created key in repository thales
ods-enforcerd: Created ZSK size: 1024, alg: 8 with id: fdda444308e69eeabc46e1958a12d512 in repository: thales and database.
...
ods-enforcerd: ZSK key allocation for zone <zone>: 1 key(s) allocated
ods-enforcerd: KSK key allocation for zone <zone>: 1 key(s) allocated


But then:
ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)

But: 
ods-ksmutil key list --verbose
Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
<zone>                        KSK           publish   2014-06-10 02:17:13 (ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales                            15664

Is this because the key is not active? is this a bug?

Also get this:
ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next

Any help is appreciated.

Regards
—
David Peall

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4148 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140609/6d16367f/attachment.bin>

More information about the Opendnssec-user mailing list