[Opendnssec-user] ods-enforcerd in error loop required manual ods-ksmutil hacking to get unstuck :(

Matthijs Mekking matthijs at pletterpet.nl
Wed Sep 24 06:05:32 UTC 2014


On 23-09-14 16:19, Paul Wouters wrote:
> On Tue, 23 Sep 2014, Matthijs Mekking wrote:
>
>>> And for unknown reasons it is now only creating a single RRSIG record
>>> for the DNSKEY set (by the KSK) and none of the RRSIG records by the
>>> ZSK, turning these 4 zones into bogus :(
>>>
>>> Deleting all files in /var/opendnssec/tmp/ and /var/opendnssec/signed/
>>> and even /var/opendnssec/signconf/ and running ods-ksmutil update all
>>> did not resolve this issue:
>>
>> If you need such recovery, you also want to restart the signer after
>> removing these files, as the data is now retained in memory.
>
> That was done. It just choked in the missing ZSK spare key, and therefor
> didn't sign any data with the ZSK, and the "signed" zone had no ZSK
> based RRSIG's.

What was in the signconf.xml? Because if the ZSK was not configured 
there, the signer will happily sign the zone with just the KSK (if in 
signconf.xml of course).

If the ZSK is in the signconf, but not in the HSM, the signer should barf.

- Matthijs

>
> Paul




More information about the Opendnssec-user mailing list