[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Michael Grimm trashcan at ellael.org
Mon Jan 16 21:09:33 UTC 2017

Berry A.W. van Halderen <berry at nlnetlabs.nl> wrote:
> On 01/16/2017 09:07 PM, Michael Grimm wrote:
>> Berry A.W. van Halderen <berry at nlnetlabs.nl> wrote:

>>> If you are using SoftHSM, it
>>> could be due to permissions problems on the files where the keys
>>> are stored, or to a full filesystem.   Check /var/lib/softhsm,
>>> the default location (set in /etc/softhsm.conf).
>> -rw-r--r--  1 root  wheel  uarch 44032 Jan 16 20:48
>> /usr/local/var/opendnssec/kasp.db
> I'm afraid that is the enforcer database, it has no storage of
> the keys.
> Given SoftHSM, the proper location is can be seen in /etc/softhsm.conf
> or /usr/local/etc/softhsm.conf.  

Sorry my fault. Here is the information you asked for:

MW-dns2|root> ls -al /usr/local/var/softhsm/slot0.db
-rw-------  1 root  wheel  uarch 150528 Jan  4 03:01 /usr/local/var/softhsm/slot0.db

> Also check if there is a <Capacity> specified in your
>  /usr/local/etc/opendnssec/conf.xml
> This is also a limit on the maximum keys possible.

No, there is no such Capacity limitation defined.

>>> You can also increase the verbosity in conf.xml and restart
>>> to get a bit more information.
>> I had had <Verbosity>3</Verbosity>. I did increase to 4,5, and 10, but
>> to no avail. The very same log messages are reported, no additional
>> ones. Is this the verbosity you were refering to?
> Yes, you did restart the daemons right?  

Yes :-)

> An increase to 6 or 7 often is very verbose.

Not here :-( Still no increase observable.

>>> Did you keep the original
>>> /usr/local/var/opendnssec/signconf/example.com.xml
>>> by any change?
>> Yes. I did save before rescue trials:
>> -rw-r--r-- root/opendnssec     990 2017-01-06 21:02
>> opendnssec/signconf/example.com.xml
>> What do you want me to do with that?
> Can you send it to me privately?  Me or one of my co-workers can
> have a look at it.  There are only references to keys placed
> there so no serious security concerns.

Sure, I will send it in private mail.


More information about the Opendnssec-user mailing list