[Opendnssec-user] Key not found

Siôn Lloyd sion at nominet.org.uk
Wed Jun 11 08:14:50 UTC 2014


On 10/06/14 15:40, David Peall wrote:
> Trying a key rollover I get the following:
> ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository.
>
> Run as the opendnssec user:
> ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851   
> thales                85d783cf86e25fe6c9bce3cbac1cf851  RSA/2048  
>
> Something hinky going on?

Clearly the key _does_ exist in the HSM and I assume that the enforcer
is misinterpreting an error return from the thales box...

Is anything being logged from the HSM side that might help?

> Regards
>> David Peall
>
> On 10 Jun 2014, at 4:22 PM, David Peall <david at dnservices.co.za> wrote:
>
>> Hi All
>>
>> As Mark has said logged in as the signer user we are able to list the “missing” key.
>> <zone>                        KSK           active    2015-06-10 15:19:39 (retire)   2048    8           994410881c1e66e2d075ed1ed1756679  thales                            15664
>>
>> Anything else we can try look for?
>>
>> Regards
>>>> David Peall
>>
>> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
>>
>>> On 09/06/14 11:30, David Peall wrote:
>>>> But then:
>>>> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
>>>> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
>>>> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
>>>>
>>>> But: 
>>>> ods-ksmutil key list --verbose
>>>> Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
>>>> <zone>                        KSK           publish   2014-06-10 02:17:13 (ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales                            15664
>>>>
>>>> Is this because the key is not active? is this a bug?
>>> Hi David,
>>>
>>> The state of the key is not causing this... Does the signer run as the
>>> same user/group as the enforcer?
>>>
>>>> Also get this:
>>>> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
>>>>
>>> This is just a warning that you have to wait for the KSK and signatures
>>> to propagate before the key is considered "ACTIVE". The wording is not
>>> ideal for the initial signing situation, but makes more sense when
>>> describing subsequent rolls.
>>>
>>> Sion
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list