[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error
Berry A.W. van Halderen
berry at nlnetlabs.nl
Mon Jan 16 20:44:05 UTC 2017
On 01/16/2017 09:07 PM, Michael Grimm wrote:
> Berry A.W. van Halderen <berry at nlnetlabs.nl> wrote:
>
>> On 01/16/2017 07:49 PM, Michael Grimm wrote:
>
>>> Hmm, what do I need to do in order to recover from that error? Any input
>>> is highly appreciated.
>>
>> The enforcer will try to allocate more keys upon the next run. The time
>> when this is depends (in 1.4), upon the Interval setting in the
>> conf.xml. Normally a number of minutes (at 14:00 your time).
>> But my assumption is that this already was tried a number of times.
>
> Indeed. In the meantime I do find many of those errors in the logfile.
>
>> I don't know which HSM you are using.
>
> softhsm 1.3.8
>
>> If you are using SoftHSM, it
>> could be due to permissions problems on the files where the keys
>> are stored, or to a full filesystem. Check /var/lib/softhsm,
>> the default location (set in /etc/softhsm.conf).
>
> -rw-r--r-- 1 root wheel uarch 44032 Jan 16 20:48
> /usr/local/var/opendnssec/kasp.db
I'm afraid that is the enforcer database, it has no storage of
the keys.
Given SoftHSM, the proper location is can be seen in /etc/softhsm.conf
or /usr/local/etc/softhsm.conf. But given FreeBSD I'm pretty sure it is
in /usr/local/var/lib. You you can check with:
ls -ld /usr/local/var/lib/softhsm
df -k /usr/local/var/lib/softhsm
To know if there are any filesystem problems.
Also check if there is a <Capacity> specified in your
/usr/local/etc/opendnssec/conf.xml
This is also a limit on the maximum keys possible.
> I have to note, that 8 other domains are kept in that database. None of
> the other domains triggered a similar error (yet).
>
>> You can also increase the verbosity in conf.xml and restart
>> to get a bit more information.
>
> I had had <Verbosity>3</Verbosity>. I did increase to 4,5, and 10, but
> to no avail. The very same log messages are reported, no additional
> ones. Is this the verbosity you were refering to?
Yes, you did restart the daemons right? Otherwise the change isn't
picked up. An increase to 6 or 7 often is very verbose.
>> Did you keep the original
>> /usr/local/var/opendnssec/signconf/example.com.xml
>> by any change?
>
> Yes. I did save before rescue trials:
>
> -rw-r--r-- root/opendnssec 990 2017-01-06 21:02
> opendnssec/signconf/example.com.xml
>
> What do you want me to do with that?
Can you send it to me privately? Me or one of my co-workers can
have a look at it. There are only references to keys placed
there so no serious security concerns.
> I do have to admit that I am pretty helpless in understanding the
> details of the software I am using. Sad to say :-(
>
> So, what should I do next?
>
> Create a new key for example.com and import it into softhsm?
> Export kaps.db and re-import? (how?)
> Anything else?
I don't see how that would help, quick repairs for the signer
are often repairs to the signconf such that the cause of the
failure is seen.
> Thanks and regards,
> Michael
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list