[Opendnssec-user] [EXT] CRITICAL: failed to sign zone

Andrew Ivanov ivanov at data1.co
Mon Aug 19 09:17:52 UTC 2019 

On Sat, Aug 17, 2019 at 11:04:58AM +0200, Ulrich-Lorenz Schl??ter wrote:
> Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen:
> > On 8/16/19 6:21 PM, Ulrich-Lorenz Schl??ter wrote:
> >> I checked perms as described.
> >> Turned up logging verbosity.
> >> "ods-ksmutil key list --verbose" does not spit out any keys.
> >>
> > 
> > Did you perform the upgrade steps to get to 1.4.14?  Where there
> > any anomalies?
> > If ods-ksmutil does not list keys, but there are no errors either
> > then I would suspect problems there.  However if you increased logging
> > level there should be more explanatory help in the logging.  Perhaps
> > in the syslog configuration these are repressed, or they end up in a
> > different log file.
> > 
> > You can also try the command "ods-hsmutil list" to list keys.  The
> > ods-ksmutil lists keys as known to OpenDNSSEc, ods-hsmutil lists keys
> > as found in the HSM.
> I migrated to fedora 30 aarch64 as upgrading on centos seemed to much of
> a hassle.
> By now ods-ksmutil and ods-hsmutil both list keys.
> opendnssec is missing files in the /var/opendnssec/signed and
> /var/opendnssec/unsigned folder.
> 
> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de xfr packet
> parsed (res 5)
> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The problem is here. Check server TSIG-settings and adapters in addns.xml.


> Aug 17 10:55:59 one ods-signerd[5550]: [socket] query processed qstate=0
> Aug 17 10:55:59 one ods-signerd[5550]: [query] add edns opt ok
> Aug 17 10:55:59 one ods-signerd[5550]: [socket] sending 144 bytes over udp
> Aug 17 10:55:59 one ods-signerd[5550]: [dnshandler] netio dispatch
> Aug 17 10:56:50 one ods-enforcerd[5540]: HSM connection open.
> Aug 17 10:56:50 one ods-enforcerd[5540]: Reading config
> "/etc/opendnssec/conf.xml"

More information about the Opendnssec-user mailing list