[Opendnssec-user] Key not found
Siôn Lloyd
sion at nominet.org.uk
Wed Jun 11 08:14:50 UTC 2014
On 10/06/14 15:40, David Peall wrote:
> Trying a key rollover I get the following:
> ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository.
>
> Run as the opendnssec user:
> ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851
> thales 85d783cf86e25fe6c9bce3cbac1cf851 RSA/2048
>
> Something hinky going on?
Clearly the key _does_ exist in the HSM and I assume that the enforcer
is misinterpreting an error return from the thales box...
Is anything being logged from the HSM side that might help?
> Regards
> —
> David Peall
>
> On 10 Jun 2014, at 4:22 PM, David Peall <david at dnservices.co.za> wrote:
>
>> Hi All
>>
>> As Mark has said logged in as the signer user we are able to list the “missing” key.
>> <zone> KSK active 2015-06-10 15:19:39 (retire) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664
>>
>> Anything else we can try look for?
>>
>> Regards
>> —
>> David Peall
>>
>> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
>>
>>> On 09/06/14 11:30, David Peall wrote:
>>>> But then:
>>>> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
>>>> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
>>>> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
>>>>
>>>> But:
>>>> ods-ksmutil key list --verbose
>>>> Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
>>>> <zone> KSK publish 2014-06-10 02:17:13 (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664
>>>>
>>>> Is this because the key is not active? is this a bug?
>>> Hi David,
>>>
>>> The state of the key is not causing this... Does the signer run as the
>>> same user/group as the enforcer?
>>>
>>>> Also get this:
>>>> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
>>>>
>>> This is just a warning that you have to wait for the KSK and signatures
>>> to propagate before the key is considered "ACTIVE". The wording is not
>>> ideal for the initial signing situation, but makes more sense when
>>> describing subsequent rolls.
>>>
>>> Sion
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list