[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error
trashcan at ellael.org
Sat Jan 21 12:34:35 UTC 2017
Hi Havard —
Congratulations, I do believe that you solved my problem! Thank you very, very much.
JFTR: I migrated to softhsm2 in the meantime, and that worked out fine running:
dns> ./softhsm2-migrate --db /usr/local/var/softhsm/slot0.db --token OpenDNSSEC
[I had had to use "—token" instead of "—slot", dunno why]
But my reported issue with example.com couldn't be solved hereby.
Havard Eidnes <he at uninett.no> wrote:
>> | ods-enforcerd: Zone example.com found.
>> | ods-enforcerd: Policy for example.com set to default.
>> | ods-enforcerd: Config will be output to /usr/local/var/opendnssec/signconf/example.com.xml.
>> | ods-enforcerd: Not enough keys to satisfy zsk policy for zone:
>> | example.com. keys_to_allocate(1) = keys_needed(1) - (keys_available(1) - keys_pending_retirement(1))
>> | ods-enforcerd: Tried to allocate 1 keys, failed on allocating key number 1
>> | ods-enforcerd: ods-enforcerd will create some more keys on its next run
>> | ods-enforcerd: Error allocating zsks to zone example.com
> I think I've seen a similar problem sometime before.
> If I recall correctly, the problem turned out to be that there
> was a key stuck in a "funny state". Ah, yes, found my message
> from January 25 last year which started me on this, message-id
> is <20160125.153502.606424278663993120.he at uninett.no>.
> This is also related to
I did read this thread, and ...
> In my case, one problematic zone had a key stuck in "generate"
> state (only visible with "--all" given to ods-ksmutil, as in
> "ods-ksmutil key list -v --all --zone <zone>"), and I deleted it
> ods-ksmutil key delete --cka_id 15e81adbc4a30ced30cf1bab8cb2b212
… bingo! I did find two keys in a "generate" state as well.
In my case it turned out to be two KSKs of two different domains, not example.com:
dns> ods-ksmutil key list --verbose --all
Zone: Keytype: State: Date of next transition (to): ...
example.tld1 KSK active 2025-12-09 09:21:53 (retire) ...
example.tld1 ZSK active 2017-03-03 18:15:51 (retire) ...
example.tld1 KSK generate (not scheduled) (publish) ...
example.tld2 KSK active 2025-12-10 15:07:05 (retire) ...
example.tld2 ZSK active 2017-03-06 12:16:21 (retire) ...
example.tld2 KSK generate (not scheduled) (publish) ...
example.com KSK active 2026-01-20 12:59:25 (retire) ...
example.com ZSK active 2017-01-16 14:00:07 (retire) ...
Thus, I did remove those two keys as well ...
> Stopping OpenDNSSEC, removing those two keys with
> ods-ksmutil key delete --cka_id 3b929d0ab308b4e1e8bf81abf1e6dafe
> ods-ksmutil key delete --cka_id b3c5b3d619c086f41f3f2ed440419f23
> and restarting OpenDNSSEC made it work better again.
… and restarting opendnssec left me with promising log entries ...
| ods-enforcerd: Zone example.com found.
| ods-enforcerd: Policy for example.com set to default.
| ods-enforcerd: Config will be output to /usr/local/var/opendnssec/signconf/example.com.xml.
| ods-enforcerd: WARNING: ZSK rollover for zone 'example.com' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
| ods-enforcerd: Could not call signer engine
| ods-enforcerd: Will continue: call '/usr/local/sbin/ods-signer update example.com' to manually update the zone
| ods-enforcerd: Disconnecting from Database...
| ods-enforcerd: Sleeping for 3600 seconds.
… and promising key list:
dns> ods-ksmutil key list --verbose
example.com KSK active 2026-01-20 12:59:25
example.com ZSK active 2017-01-16 14:00:07
example.com ZSK publish 2017-01-22 02:56:24
If I am not mistaken you did solve my problem. Tomorrow morning I should know, correct?
Thank you and all the others very much that helped me solve this issue and taught me so much about the software I am using.
More information about the Opendnssec-user