[Opendnssec-user] Error allocating ksks / zsks

Wed Mar 9 20:51:44 UTC 2016

Hi,

a new occurrence of this problem has surfaced.

Somehow my SoftHSM database had become owned by root (ouch!).  While
that was done, a new zone was added.  Of course key allocation failed
since the enforcer could not write to the SoftHSM database.

However, the file ownership problem is now sorted, but OpenDNSSEC
still refuses to allocate any keys:

Mar  9 21:34:09 hugin ods-signerd: [parser] zone mydomainname.no added
Mar  9 21:34:25 hugin ods-enforcerd: Zone mydomainname.no found.
Mar  9 21:34:25 hugin ods-enforcerd: Policy for mydomainname.no set to default.
Mar  9 21:34:25 hugin ods-enforcerd: Config will be output to /var/opendnssec/signconf/mydomainname.no.xml.
Mar  9 21:34:25 hugin ods-enforcerd: Not enough keys to satisfy zsk policy for zone: mydomainname.no. keys_to_allocate(1) = keys_needed(1) - (keys_available(0) - keys_pending_retirement(0)) 
Mar  9 21:34:25 hugin ods-enforcerd: Error allocating zsks to zone mydomainname.no

Of course the "Not enough keys" error message is meaningless, and
the equation shown *is* true, so that's obviously *not* the problem.

There's also no way I've found to increase the logging level of
the enforcer so I can easily get a clue as to the actual problem.  I
sense some coding coming up to narrow in on the actual problem...

The zone's key list is empty:

ods @ hugin: {14} ods-ksmutil key list --zone mydomainname.no
Keys:
Zone:                           Keytype:      State:    Date of next transition:

ods @ hugin: {15} 

And later of course the signer logs:

Mar  9 21:39:44 hugin ods-signerd: [worker[1]] configure zone mydomainname.no
Mar  9 21:39:44 hugin ods-signerd: [file] unable to open file /var/opendnssec/signconf/mydomainname.no.xml for reading: No such file or directory
Mar  9 21:39:44 hugin ods-signerd: [file] unable to stat file /var/opendnssec/signconf/mydomainname.no.xml: ods_fopen() failed
Mar  9 21:39:44 hugin ods-signerd: [zone] zone mydomainname.no signconf file /var/opendnssec/signconf/mydomainname.no.xml is unchanged since 2016-03-09 21:39:44
Mar  9 21:39:44 hugin ods-signerd: [worker[1]] no signconf.xml for zone mydomainname.no yet
Mar  9 21:39:44 hugin ods-signerd: [worker[1]] CRITICAL: failed to sign zone mydomainname.no: General error
Mar  9 21:39:44 hugin ods-signerd: [worker[1]] backoff task [configure] for zone mydomainname.no with 60 seconds
Mar  9 21:39:44 hugin ods-signerd: [worker[1]] finished working on zone mydomainname.no
Mar  9 21:39:44 hugin ods-signerd: [scheduler] schedule task [configure] for zone mydomainname.no
Mar  9 21:39:44 hugin ods-signerd: [task] On Wed Mar  9 21:40:44 2016 I will [configure] zone mydomainname.no

Restarting OpenDNSSEC does not fix the problem.

So...  I remove the zone and let one of my scripts re-create it.

However, that does *not* fix it:

Mar  9 21:48:21 hugin ods-enforcerd: Zone mydomainname.no found.
Mar  9 21:48:21 hugin ods-enforcerd: Policy for mydomainname.no set to default.
Mar  9 21:48:21 hugin ods-enforcerd: Config will be output to /var/opendnssec/signconf/mydomainname.no.xml.
Mar  9 21:48:21 hugin ods-enforcerd: Not enough keys to satisfy zsk policy for zone: mydomainname.no. keys_to_allocate(1) = keys_needed(1) - (keys_available(0) - keys_pending_retirement(0)) 
Mar  9 21:48:21 hugin ods-enforcerd: Error allocating zsks to zone mydomainname.no

So, how do I get out of this state?!?  Should not OpenDNSSEC be able
to sort this out itself?

Regards,

- Håvard