[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Michael Grimm trashcan at ellael.org
Fri Jan 20 11:54:00 UTC 2017

Yuri Schaeffer wrote:

>> dns|root> ods-hsmutil -v test SoftHSM
> Hmm this shows that generating new keys is not a problem perse. Can you
> send me your kasp.xml?

[see separate mail]

>> What to do next:
>> #) would such a database be possible to migrate to softhsm2? Either
>> by the migration script or manually (export, import)?
> If this is indeed a softhsm issue it might work. I'm not involved in 
> the
> SoftHSM development but as far as I know SoftHSMv2 includes a
> softhsm2-migrate program to do this import for you.

Yes, there is such a tool. I was referring to: wouldn't it be wiser to 
export/import every non-problematic domain manually instead?

>> #) should I try to trigger a manual ZSK rollover for the erratic
>> domain?
> It seems to have trouble generating new keys from the enforcer. So I
> don't think that would help you.

Thanks for your clarification.

>> #) I am already thinking about a worst case scenario: Restarting from
>> scratch (only 9 domains involved). I have read that it should be
>> possible to run two opendnssec versions in parallel. Can you confirm
>> this?
> It is perfectly possible to run two instances in parallel. Though you
> have to make sure you set all the paths correctly so that config files,
> PID files, tmp files etc don't mix.

Ok, then I will give that a try.

Again, I do really appreciate the help from all of you,

More information about the Opendnssec-user mailing list