[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error
Michael Grimm
trashcan at ellael.org
Fri Jan 20 11:54:00 UTC 2017
Yuri Schaeffer wrote:
>> dns|root> ods-hsmutil -v test SoftHSM
>
> Hmm this shows that generating new keys is not a problem perse. Can you
> send me your kasp.xml?
[see separate mail]
>> What to do next:
>>
>> #) would such a database be possible to migrate to softhsm2? Either
>> by the migration script or manually (export, import)?
>
> If this is indeed a softhsm issue it might work. I'm not involved in
> the
> SoftHSM development but as far as I know SoftHSMv2 includes a
> softhsm2-migrate program to do this import for you.
Yes, there is such a tool. I was referring to: wouldn't it be wiser to
export/import every non-problematic domain manually instead?
>> #) should I try to trigger a manual ZSK rollover for the erratic
>> domain?
>
> It seems to have trouble generating new keys from the enforcer. So I
> don't think that would help you.
Thanks for your clarification.
>> #) I am already thinking about a worst case scenario: Restarting from
>> scratch (only 9 domains involved). I have read that it should be
>> possible to run two opendnssec versions in parallel. Can you confirm
>> this?
>
> It is perfectly possible to run two instances in parallel. Though you
> have to make sure you set all the paths correctly so that config files,
> PID files, tmp files etc don't mix.
Ok, then I will give that a try.
Again, I do really appreciate the help from all of you,
Michael
More information about the Opendnssec-user
mailing list