[Opendnssec-user] Key not found
david at dnservices.co.za
Tue Jun 10 14:40:53 UTC 2014
Trying a key rollover I get the following:
ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository.
Run as the opendnssec user:
ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851
thales 85d783cf86e25fe6c9bce3cbac1cf851 RSA/2048
Something hinky going on?
On 10 Jun 2014, at 4:22 PM, David Peall <david at dnservices.co.za> wrote:
> Hi All
> As Mark has said logged in as the signer user we are able to list the “missing” key.
> <zone> KSK active 2015-06-10 15:19:39 (retire) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664
> Anything else we can try look for?
> David Peall
> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
>> On 09/06/14 11:30, David Peall wrote:
>>> But then:
>>> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
>>> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
>>> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
>>> ods-ksmutil key list --verbose
>>> Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
>>> <zone> KSK publish 2014-06-10 02:17:13 (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664
>>> Is this because the key is not active? is this a bug?
>> Hi David,
>> The state of the key is not causing this... Does the signer run as the
>> same user/group as the enforcer?
>>> Also get this:
>>> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
>> This is just a warning that you have to wait for the KSK and signatures
>> to propagate before the key is considered "ACTIVE". The wording is not
>> ideal for the initial signing situation, but makes more sense when
>> describing subsequent rolls.
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4148 bytes
Desc: not available
More information about the Opendnssec-user