[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Michael Grimm trashcan at ellael.org
Mon Jan 16 20:07:47 UTC 2017

Berry A.W. van Halderen <berry at nlnetlabs.nl> wrote:

> On 01/16/2017 07:49 PM, Michael Grimm wrote:

>> Hmm, what do I need to do in order to recover from that error? Any 
>> input
>> is highly appreciated.
> The enforcer will try to allocate more keys upon the next run.  The 
> time
> when this is depends (in 1.4), upon the Interval setting in the
> conf.xml.  Normally a number of minutes (at 14:00 your time).
> But my assumption is that this already was tried a number of times.

Indeed. In the meantime I do find many of those errors in the logfile.

> I don't know which HSM you are using.

softhsm 1.3.8

> If you are using SoftHSM, it
> could be due to permissions problems on the files where the keys
> are stored, or to a full filesystem.   Check /var/lib/softhsm,
> the default location (set in /etc/softhsm.conf).

-rw-r--r--  1 root  wheel  uarch 44032 Jan 16 20:48 

I have to note, that 8 other domains are kept in that database. None of 
the other domains triggered a similar error (yet).

> You can also increase the verbosity in conf.xml and restart
> to get a bit more information.

I had had <Verbosity>3</Verbosity>. I did increase to 4,5, and 10, but 
to no avail. The very same log messages are reported, no additional 
ones. Is this the verbosity you were refering to?

> Did you keep the original
> /usr/local/var/opendnssec/signconf/example.com.xml
> by any change?

Yes. I did save before rescue trials:

-rw-r--r-- root/opendnssec     990 2017-01-06 21:02 

What do you want me to do with that?

I do have to admit that I am pretty helpless in understanding the 
details of the software I am using. Sad to say :-(

So, what should I do next?

  Create a new key for example.com and import it into softhsm?
  Export kaps.db and re-import? (how?)
  Anything else?

Thanks and regards,

More information about the Opendnssec-user mailing list