[Opendnssec-user] [EXT] CRITICAL: failed to sign zone

Sat Aug 17 09:04:58 UTC 2019

Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen:
> On 8/16/19 6:21 PM, Ulrich-Lorenz Schlüter wrote:
>> I checked perms as described.
>> Turned up logging verbosity.
>> "ods-ksmutil key list --verbose" does not spit out any keys.
>>
> 
> Did you perform the upgrade steps to get to 1.4.14?  Where there
> any anomalies?
> If ods-ksmutil does not list keys, but there are no errors either
> then I would suspect problems there.  However if you increased logging
> level there should be more explanatory help in the logging.  Perhaps
> in the syslog configuration these are repressed, or they end up in a
> different log file.
> 
> You can also try the command "ods-hsmutil list" to list keys.  The
> ods-ksmutil lists keys as known to OpenDNSSEc, ods-hsmutil lists keys
> as found in the HSM.
I migrated to fedora 30 aarch64 as upgrading on centos seemed to much of
a hassle.
By now ods-ksmutil and ods-hsmutil both list keys.
opendnssec is missing files in the /var/opendnssec/signed and
/var/opendnssec/unsigned folder.

Aug 17 10:54:55 one ods-signerd[5550]: [netio] no events before the
minimum timeout expired
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de timeout
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de make
request [udp round 0 master 127.0.0.1:53]
Aug 17 10:54:55 one ods-signerd[5550]: [domain] tsig sign query with
key: opendnssec-in.
Aug 17 10:54:55 one ods-signerd[5550]: [domain] tsig sign query with
algorithm: hmac-md5.sig-alg.reg.int.
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] tsig append rr to request
id=35511
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de request
udp/ixfr=1565763800 to 127.0.0.1
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] send 186 bytes over udp to
127.0.0.1
Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de event udp read
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de sets timer
timeout now
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de read data
from udp
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de got update
indicating current serial 1565763800 from 127.0.0.1
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de sets timer
timeout refresh 3600
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de wait
refresh time
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de xfr packet
parsed (res 5)
Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
Aug 17 10:55:59 one ods-signerd[5550]: [socket] query processed qstate=0
Aug 17 10:55:59 one ods-signerd[5550]: [query] add edns opt ok
Aug 17 10:55:59 one ods-signerd[5550]: [socket] sending 144 bytes over udp
Aug 17 10:55:59 one ods-signerd[5550]: [dnshandler] netio dispatch
Aug 17 10:56:50 one ods-enforcerd[5540]: HSM connection open.
Aug 17 10:56:50 one ods-enforcerd[5540]: Reading config
"/etc/opendnssec/conf.xml"
Aug 17 10:56:50 one ods-enforcerd[5540]: Reading config schema
"/usr/share/opendnssec/conf.rng"
Aug 17 10:56:50 one ods-enforcerd[5540]: Communication Interval: 3600
Aug 17 10:56:50 one ods-enforcerd[5540]: No DS Submit command supplied
Aug 17 10:56:50 one ods-enforcerd[5540]: SQLite database set to:
/var/opendnssec/kasp.db
Aug 17 10:56:50 one ods-enforcerd[5540]: Log User set to: local0
Aug 17 10:56:50 one ods-enforcerd[5540]: Switched log facility to: local0
Aug 17 10:56:50 one ods-enforcerd[5540]: Connecting to Database...
Aug 17 10:56:50 one ods-enforcerd[5540]: Policy default found.
Aug 17 10:56:50 one ods-enforcerd[5540]: Key sharing is Off.
Aug 17 10:56:50 one ods-enforcerd[5540]: 2 zone(s) found on policy "default"
Aug 17 10:56:50 one ods-enforcerd[5540]: No new KSKs need to be created.
Aug 17 10:56:50 one ods-enforcerd[5540]: No new ZSKs need to be created.
Aug 17 10:56:50 one ods-enforcerd[5540]: Purging keys...
Aug 17 10:56:50 one ods-enforcerd[5540]: zonelist filename set to
/etc/opendnssec/zonelist.xml.
Aug 17 10:56:50 one ods-enforcerd[5540]: Zone sycosys.de found.
Aug 17 10:56:50 one ods-enforcerd[5540]: Policy for sycosys.de set to
default.
Aug 17 10:56:50 one ods-enforcerd[5540]: Config will be output to
/var/opendnssec/signconf/sycosys.de.xml.
Aug 17 10:56:50 one ods-enforcerd[5540]: WARNING: New KSK has reached
the ready state; please submit the DS for sycosys.de and use ods-ksmutil
key ds-seen when the DS appears in the DNS.
Aug 17 10:56:50 one ods-enforcerd[5540]: No change to:
/var/opendnssec/signconf/sycosys.de.xml
Aug 17 10:56:50 one ods-enforcerd[5540]: Zone schlueter.family found.
Aug 17 10:56:50 one ods-enforcerd[5540]: Policy for schlueter.family set
to default.
Aug 17 10:56:50 one ods-enforcerd[5540]: Config will be output to
/var/opendnssec/signconf/schlueter.family.xml.
Aug 17 10:56:50 one ods-enforcerd[5540]: WARNING: New KSK has reached
the ready state; please submit the DS for schlueter.family and use
ods-ksmutil key ds-seen when the DS appears in the DNS.
Aug 17 10:56:50 one ods-enforcerd[5540]: No change to:
/var/opendnssec/signconf/schlueter.family.xml
Aug 17 10:56:50 one ods-enforcerd[5540]: Disconnecting from Database...
Aug 17 10:56:50 one ods-enforcerd[5540]: Sleeping for 3600 seconds.
Aug 17 10:57:04 one ods-signerd[5550]: [socket] incoming udp message
Aug 17 10:57:04 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
Aug 17 10:57:04 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
Aug 17 10:57:04 one ods-signerd[5550]: [query] too many additional rrs
Aug 17 10:57:04 one ods-signerd[5550]: [query] formerr
Aug 17 10:57:04 one ods-signerd[5550]: [socket] query processed qstate=0
Aug 17 10:57:04 one ods-signerd[5550]: [query] add edns opt ok
Aug 17 10:57:04 one ods-signerd[5550]: [socket] sending 138 bytes over udp
Aug 17 10:57:04 one ods-signerd[5550]: [dnshandler] netio dispatch