[Opendnssec-user] Key not found
sion at nominet.org.uk
Mon Jun 9 12:39:04 UTC 2014
On 09/06/14 11:30, David Peall wrote:
> But then:
> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
> ods-ksmutil key list --verbose
> Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
> <zone> KSK publish 2014-06-10 02:17:13 (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664
> Is this because the key is not active? is this a bug?
The state of the key is not causing this... Does the signer run as the
same user/group as the enforcer?
> Also get this:
> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
This is just a warning that you have to wait for the KSK and signatures
to propagate before the key is considered "ACTIVE". The wording is not
ideal for the initial signing situation, but makes more sense when
describing subsequent rolls.
More information about the Opendnssec-user