[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Berry A.W. van Halderen berry at nlnetlabs.nl
Mon Jan 16 20:44:05 UTC 2017

On 01/16/2017 09:07 PM, Michael Grimm wrote:
> Berry A.W. van Halderen <berry at nlnetlabs.nl> wrote:
>> On 01/16/2017 07:49 PM, Michael Grimm wrote:
>>> Hmm, what do I need to do in order to recover from that error? Any input
>>> is highly appreciated.
>> The enforcer will try to allocate more keys upon the next run.  The time
>> when this is depends (in 1.4), upon the Interval setting in the
>> conf.xml.  Normally a number of minutes (at 14:00 your time).
>> But my assumption is that this already was tried a number of times.
> Indeed. In the meantime I do find many of those errors in the logfile.
>> I don't know which HSM you are using.
> softhsm 1.3.8
>> If you are using SoftHSM, it
>> could be due to permissions problems on the files where the keys
>> are stored, or to a full filesystem.   Check /var/lib/softhsm,
>> the default location (set in /etc/softhsm.conf).
> -rw-r--r--  1 root  wheel  uarch 44032 Jan 16 20:48
> /usr/local/var/opendnssec/kasp.db

I'm afraid that is the enforcer database, it has no storage of
the keys.
Given SoftHSM, the proper location is can be seen in /etc/softhsm.conf
or /usr/local/etc/softhsm.conf.  But given FreeBSD I'm pretty sure it is
in /usr/local/var/lib.  You you can check with:
    ls -ld /usr/local/var/lib/softhsm
    df -k /usr/local/var/lib/softhsm
To know if there are any filesystem problems.

Also check if there is a <Capacity> specified in your
This is also a limit on the maximum keys possible.

> I have to note, that 8 other domains are kept in that database. None of
> the other domains triggered a similar error (yet).
>> You can also increase the verbosity in conf.xml and restart
>> to get a bit more information.
> I had had <Verbosity>3</Verbosity>. I did increase to 4,5, and 10, but
> to no avail. The very same log messages are reported, no additional
> ones. Is this the verbosity you were refering to?

Yes, you did restart the daemons right?  Otherwise the change isn't
picked up.  An increase to 6 or 7 often is very verbose.

>> Did you keep the original
>> /usr/local/var/opendnssec/signconf/example.com.xml
>> by any change?
> Yes. I did save before rescue trials:
> -rw-r--r-- root/opendnssec     990 2017-01-06 21:02
> opendnssec/signconf/example.com.xml
> What do you want me to do with that?

Can you send it to me privately?  Me or one of my co-workers can
have a look at it.  There are only references to keys placed
there so no serious security concerns.

> I do have to admit that I am pretty helpless in understanding the
> details of the software I am using. Sad to say :-(
> So, what should I do next?
>  Create a new key for example.com and import it into softhsm?
>  Export kaps.db and re-import? (how?)
>  Anything else?

I don't see how that would help, quick repairs for the signer
are often repairs to the signconf such that the cause of the
failure is seen.

> Thanks and regards,
> Michael
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list