[Opendnssec-user] [EXT] CRITICAL: failed to sign zone

Ulrich-Lorenz Schlüter audiomobster at gmail.com
Mon Aug 19 12:05:37 UTC 2019 

Am 19.08.19 um 11:17 schrieb Andrew Ivanov:
> On Sat, Aug 17, 2019 at 11:04:58AM +0200, Ulrich-Lorenz Schl??ter wrote:
>> Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen:
>>> On 8/16/19 6:21 PM, Ulrich-Lorenz Schl??ter wrote:
>>>> I checked perms as described.
>>>> Turned up logging verbosity.
>>>> "ods-ksmutil key list --verbose" does not spit out any keys.
>>>>
>>>
>>> Did you perform the upgrade steps to get to 1.4.14?  Where there
>>> any anomalies?
>>> If ods-ksmutil does not list keys, but there are no errors either
>>> then I would suspect problems there.  However if you increased logging
>>> level there should be more explanatory help in the logging.  Perhaps
>>> in the syslog configuration these are repressed, or they end up in a
>>> different log file.
>>>
>>> You can also try the command "ods-hsmutil list" to list keys.  The
>>> ods-ksmutil lists keys as known to OpenDNSSEc, ods-hsmutil lists keys
>>> as found in the HSM.
>> I migrated to fedora 30 aarch64 as upgrading on centos seemed to much of
>> a hassle.
>> By now ods-ksmutil and ods-hsmutil both list keys.
>> opendnssec is missing files in the /var/opendnssec/signed and
>> /var/opendnssec/unsigned folder.
>>
>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de xfr packet
>> parsed (res 5)
>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
>> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
>> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> The problem is here. Check server TSIG-settings and adapters in addns.xml.
I created new keys, changed from hmac-md5 to hmac-sha512, now I get:
unable to sign request: tsig unknown algorithm hmac-sha512

I don't see any obvious error in my addns.xml. The opendnssec-in part
seemed working before, because there are files in /var/opendnssec/tmp

<?xml version="1.0" encoding="UTF-8"?>
<Adapter>
 	<DNS>
		<TSIG>
			<Name>opendnssec-in</Name>
			<Algorithm>hmac-sha512</Algorithm>
			<!-- base64 encoded secret -->
			<Secret>****************</Secret>
		</TSIG>
                <TSIG>
                        <Name>opendnssec-out</Name>
                        <Algorithm>hmac-sha512</Algorithm>
                        <!-- base64 encoded secret -->
                        <Secret>****************</Secret>
                </TSIG>

		<Inbound>
			<!-- Address of host to request XFR from -->
			<RequestTransfer>
				<!-- Send request to 127.0.0.1 on the default port 53 -->
				<Remote>
					<Address>127.0.0.1</Address>
					<Port>53</Port>
					<Key>opendnssec-in</Key>
				</Remote>
			</RequestTransfer>

			<!-- Allow NOTIFY messages from host -->
			<AllowNotify>
				<Peer>
					<Prefix>127.0.0.1</Prefix>
				</Peer>
			</AllowNotify>
		</Inbound>

		<Outbound>
			<!-- Provide XFR to host -->
			<ProvideTransfer>
				<Peer>
					<Prefix>127.0.0.1</Prefix>
					<Key>opendnssec-out</Key>
				</Peer>
			</ProvideTransfer>
	
			<!-- Send NOTIFY messages to host -->
			<Notify>
				<Remote>
					<Address>127.0.0.1</Address>
					<Port>53</Port>
				</Remote>
			</Notify>
		</Outbound>
	</DNS>
</Adapter>

More information about the Opendnssec-user mailing list