[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error
trashcan at ellael.org
Wed Jan 18 16:21:47 UTC 2017
Hi Yuri —
Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
> Please check for the availability of the key in the hsm:
> ods-hsmutil -c /etc/opendnssec/conf.xml list
> It may have trouble finding one of the keys from your signconf:
Nope. Both keys are found:
dns> ods-hsmutil -c /usr/local/etc/opendnssec/conf.xml list | egrep -i '(0347526dbd7d57ff891f017c26a30846|a55ae0ef264253145c8f29c491829d29)'
SoftHSM a55ae0ef264253145c8f29c491829d29 RSA/2048
SoftHSM 0347526dbd7d57ff891f017c26a30846 RSA/2048
> Also make sure you pass the correct conf.xml file. I'm a little worried
> you may have one on multiple locations.
Hmm. This is a FreeBSD port I did install. but I double-checked, and no, there is only one conf.xml available.
> Since increasing the verbosity doesn't seem to work for you?
I do have the following section in my conf.xml file regarding verbosity:
Opendnssec runs in a FreeBSD jail, and all log messages are forwarded to the host's syslogd. But that shouldn't be the reason for a "not working verbosity setting", correct? Is there a way to fetch error massages into a file?
Well, coming back to my issue. As I mentioned before, I am not that well informed about all the details of DNSSEC. Does that current lack in key rollover for that domain may imply major issues for that given domain? I am willing to upgrade opendnssec, but that would need some time of testing, because I do not want to screw my recent setup. Would the current issue lead to a disaster if I would perform an upgrade under these circumstances? Would it be worth a try?
I really do appreciate your help,
More information about the Opendnssec-user