[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Jan 19 09:10:18 UTC 2017

> After that I think we have exhausted all possible access permissions.
> And we are left with the puzzling question why the other domains
> aren't seeing the same issue.  It would mean that just the generation
> of keys isn't working.

It could be that they simply haven't initiated a rollover yet so no
writing necessary. And they still have their signconf so the signer will
keep running.

> @Yuri also: could there be a change in the policy/kasp which prevents
> generation of keys?

Yes, you can set <ManualRollover/> in the <KSK> and <ZSK> sections. In
1.4 for ZSK it will mean no ZSK will be generated at all. A KSK might be
generated but not rolled too unless issues by the user.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170119/63825879/attachment.bin>

More information about the Opendnssec-user mailing list