[Opendnssec-user] Key not found

Siôn Lloyd sion at nominet.org.uk
Mon Jun 9 12:39:04 UTC 2014


On 09/06/14 11:30, David Peall wrote:
>
> But then:
> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
>
> But: 
> ods-ksmutil key list --verbose
> Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
> <zone>                        KSK           publish   2014-06-10 02:17:13 (ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales                            15664
>
> Is this because the key is not active? is this a bug?
Hi David,

The state of the key is not causing this... Does the signer run as the
same user/group as the enforcer?

> Also get this:
> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
>

This is just a warning that you have to wait for the KSK and signatures
to propagate before the key is considered "ACTIVE". The wording is not
ideal for the initial signing situation, but makes more sense when
describing subsequent rolls.

Sion



More information about the Opendnssec-user mailing list