[Opendnssec-user] Key not found

David Peall david at dnservices.co.za
Tue Jun 10 14:40:53 UTC 2014 

Trying a key rollover I get the following:
ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository.

Run as the opendnssec user:
ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851   
thales                85d783cf86e25fe6c9bce3cbac1cf851  RSA/2048  

Something hinky going on?

Regards
—
David Peall

On 10 Jun 2014, at 4:22 PM, David Peall <david at dnservices.co.za> wrote:

> Hi All
> 
> As Mark has said logged in as the signer user we are able to list the “missing” key.
> <zone>                        KSK           active    2015-06-10 15:19:39 (retire)   2048    8           994410881c1e66e2d075ed1ed1756679  thales                            15664
> 
> Anything else we can try look for?
> 
> Regards
>> David Peall
> 
> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
> 
>> On 09/06/14 11:30, David Peall wrote:
>>> 
>>> But then:
>>> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
>>> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
>>> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
>>> 
>>> But: 
>>> ods-ksmutil key list --verbose
>>> Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
>>> <zone>                        KSK           publish   2014-06-10 02:17:13 (ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales                            15664
>>> 
>>> Is this because the key is not active? is this a bug?
>> Hi David,
>> 
>> The state of the key is not causing this... Does the signer run as the
>> same user/group as the enforcer?
>> 
>>> Also get this:
>>> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
>>> 
>> 
>> This is just a warning that you have to wait for the KSK and signatures
>> to propagate before the key is considered "ACTIVE". The wording is not
>> ideal for the initial signing situation, but makes more sense when
>> describing subsequent rolls.
>> 
>> Sion
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4148 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140610/fe50e209/attachment.bin>

More information about the Opendnssec-user mailing list