[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Michael Grimm trashcan at ellael.org
Mon Jan 16 18:49:06 UTC 2017


Hi --

This is opendnssec 1.4.12 and FreeBSD 11-STABLE.

Today I found the following error message in my logs:

| ods-signerd: [worker[4]] CRITICAL: failed to sign zone example.com: 
General error

After removing all files in /usr/local/var/opendnssec/signconf and 
/usr/local/var/opendnssec/tmp, and restartion opendnssec afterwards, 
I'll end up with:

| ods-enforcerd: Zone example.com found.
| ods-enforcerd: Policy for example.com set to default.
| ods-enforcerd: Config will be output to 
/usr/local/var/opendnssec/signconf/example.com.xml.
| ods-enforcerd: Not enough keys to satisfy zsk policy for zone: 
example.com. keys_to_allocate(1) = keys_needed(1) - (keys_available(1) - 
keys_pending_retirement(1))
| ods-enforcerd: Tried to allocate 1 keys, failed on allocating key 
number 1
| ods-enforcerd: ods-enforcerd will create some more keys on its next 
run
| ods-enforcerd: Error allocating zsks to zone example.com

and

| ods-signerd: [worker[4]] CRITICAL: failed to sign zone example.com: 
General error

dns> ods-ksmutil key list -all --zone example.com
Keys:
Zone:        Keytype:      State:    Date of next transition:
example.com  KSK           active    2026-01-20 12:59:25
example.com  ZSK           active    2017-01-16 14:00:07

Hmm, what do I need to do in order to recover from that error? Any input 
is highly appreciated.

Thanks and regards,
Michael



More information about the Opendnssec-user mailing list