[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Michael Grimm trashcan at ellael.org
Wed Jan 18 22:08:40 UTC 2017

Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:

> It is clear now that the signer can't sign the zone because you removed
> the signconf. And the enforcer isn't generating a signconf because it is
> stuck generating a new key.


I do have daily backups of all files, involved over the last 6 month (thanks to ZFS snapshots). I haven't tried to re-install example.com.xml, yet.

[What doesn't make sense to me is: there are eight other domains involved that do not show this issue.]

> It is hard to imagine anything else than permissions to be the problem
> here. Please check if ods-signerd actually runs as root and doesn't drop
> permissions.

dns> ps aux 
root    71041  0.0  0.0  53060 10416  -  IsJ  22:30   0:00.06 /usr/local/sbin/ods-enforcerd
root    71050  0.0  0.0  79672 11160  -  IsJ  22:30   0:00.10 /usr/local/sbin/ods-signerd -c /usr/local/etc/opendnsse

> Also share your conf.xml with us/me if you can.

dns> cat conf.xml
<?xml version="1.0" encoding="UTF-8"?>
		<Repository name="SoftHSM">

[IP address obscured]

dns> ls -al /usr/local/etc/opendnssec/*.xml
-rw-r--r--  1 root  wheel  1662 Dec 28 12:17 /usr/local/etc/opendnssec/addns.xml
-rw-r-----  1 root  wheel  1867 Jan 18 21:17 /usr/local/etc/opendnssec/conf.xml
-rw-r--r--  1 root  wheel  5881 Apr 12  2015 /usr/local/etc/opendnssec/kasp.xml
-rw-r--r--  1 root  wheel  3541 Jan 16 18:30 /usr/local/etc/opendnssec/zonelist.xml

dns> ls -al /usr/local/var/opendnssec/
-rw-r--r--  1 root        wheel       44032 Jan 18 22:30 kasp.db
-rw-r--r--  1 root        wheel           0 Jan 18 22:44 kasp.db.our_lock
drwxr-xr-x  2 opendnssec  opendnssec     10 Jan 18 22:30 signconf
drwxr-xr-x  2 opendnssec  opendnssec      2 May 18  2016 signed
drwxr-xr-x  2 opendnssec  opendnssec     37 Jan 18 22:19 tmp
drwxr-xr-x  2 opendnssec  opendnssec      2 May 18  2016 unsigned

> Check the permissions on /etc/softhsm/softhsm.conf and the path mentioned
> in that file.

dns> ls -al /usr/local/etc/softhsm.conf
-rw-r--r--  1 root  wheel  293 Feb  3  2015 /usr/local/etc/softhsm.conf

dsn> cat /usr/local/etc/softhsm.conf

dns> ls -al /usr/local/var/softhsm/slot0.db
-rw-------  1 root  wheel  150528 Jan 18 20:26 /usr/local/var/softhsm/slot0.db

[I did change that to 666 for testing purposes, to no avail]

> It really seems like something is missing write permissions.

At first glance, I cannot see an issue here. But I will do continue investigating.

> Updating OpenDNSSEC will therefore not resolve your problems. After
> fixing this issue I would encourage you to update, but not right now.

Thanks for that info. So I will solve my issue first.

Thank you very much for your help,

More information about the Opendnssec-user mailing list