[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Berry A.W. van Halderen berry at nlnetlabs.nl
Mon Jan 16 19:34:46 UTC 2017

On 01/16/2017 07:49 PM, Michael Grimm wrote:
> Hi --
> This is opendnssec 1.4.12 and FreeBSD 11-STABLE.
> Today I found the following error message in my logs:
> | ods-signerd: [worker[4]] CRITICAL: failed to sign zone example.com:
> General error
> After removing all files in /usr/local/var/opendnssec/signconf and
> /usr/local/var/opendnssec/tmp, and restartion opendnssec afterwards,
> I'll end up with:
> | ods-enforcerd: Zone example.com found.
> | ods-enforcerd: Policy for example.com set to default.
> | ods-enforcerd: Config will be output to
> /usr/local/var/opendnssec/signconf/example.com.xml.
> | ods-enforcerd: Not enough keys to satisfy zsk policy for zone:
> example.com. keys_to_allocate(1) = keys_needed(1) - (keys_available(1) -
> keys_pending_retirement(1))
> | ods-enforcerd: Tried to allocate 1 keys, failed on allocating key
> number 1
> | ods-enforcerd: ods-enforcerd will create some more keys on its next run
> | ods-enforcerd: Error allocating zsks to zone example.com
> and
> | ods-signerd: [worker[4]] CRITICAL: failed to sign zone example.com:
> General error
> dns> ods-ksmutil key list -all --zone example.com
> Keys:
> Zone:        Keytype:      State:    Date of next transition:
> example.com  KSK           active    2026-01-20 12:59:25
> example.com  ZSK           active    2017-01-16 14:00:07
> Hmm, what do I need to do in order to recover from that error? Any input
> is highly appreciated.

The enforcer will try to allocate more keys upon the next run.  The time
when this is depends (in 1.4), upon the Interval setting in the
conf.xml.  Normally a number of minutes (at 14:00 your time).
But my assumption is that this already was tried a number of times.

I don't know which HSM you are using.  If you are using SoftHSM, it
could be due to permissions problems on the files where the keys
are stored, or to a full filesystem.   Check /var/lib/softhsm,
the default location (set in /etc/softhsm.conf).

If you are using a real HSM, it might be a connection problem,
a problem with the library or even that the HSM is full.

Clearing tmp in this case makes no difference.

You can also increase the verbosity in conf.xml and restart
to get a bit more information.  You just need to look at
the ods-enforcerd lines in the log.  The signer doesn't seem
to be the real problem, though I am puzzled why it got the
initial problem.  Did you keep the original
by any change?  The current state I can explain, but now
the original.


More information about the Opendnssec-user mailing list