[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Michael Grimm trashcan at ellael.org
Wed Jan 18 16:21:47 UTC 2017

Hi Yuri —

Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:

> Please check for the availability of the key in the hsm:
> ods-hsmutil -c /etc/opendnssec/conf.xml list
> It may have trouble finding one of the keys from your signconf:
> 0347526dbd7d57ff891f017c26a30846
> a55ae0ef264253145c8f29c491829d29

Nope. Both keys are found:

dns> ods-hsmutil -c /usr/local/etc/opendnssec/conf.xml list | egrep -i '(0347526dbd7d57ff891f017c26a30846|a55ae0ef264253145c8f29c491829d29)'
SoftHSM               a55ae0ef264253145c8f29c491829d29  RSA/2048  
SoftHSM               0347526dbd7d57ff891f017c26a30846  RSA/2048  

> Also make sure you pass the correct conf.xml file. I'm a little worried
> you may have one on multiple locations.

Hmm. This is a FreeBSD port I did install. but I double-checked, and no, there is only one conf.xml available.

> Since increasing the verbosity doesn't seem to work for you?

I do have the following section in my conf.xml file regarding verbosity:


Opendnssec runs in a FreeBSD jail, and all log messages are forwarded to the host's syslogd. But that shouldn't be the reason for a "not working verbosity setting", correct? Is there a way to fetch error massages into a file?

Well, coming back to my issue. As I mentioned before, I am not that well informed about all the details of DNSSEC. Does that current lack in key rollover for that domain may imply major issues for that given domain? I am willing to upgrade opendnssec, but that would need some time of testing, because I do not want to screw my recent setup. Would the current issue lead to a disaster if I would perform an upgrade under these circumstances? Would it be worth a try?

I really do appreciate your help,


More information about the Opendnssec-user mailing list