[Opendnssec-user] [EXT] CRITICAL: failed to sign zone
Ulrich-Lorenz Schlüter
audiomobster at gmail.com
Mon Aug 19 12:41:59 UTC 2019
Am 19.08.19 um 14:05 schrieb Ulrich-Lorenz Schlüter:
> Am 19.08.19 um 11:17 schrieb Andrew Ivanov:
>> On Sat, Aug 17, 2019 at 11:04:58AM +0200, Ulrich-Lorenz Schl??ter wrote:
>>> Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen:
>>>> On 8/16/19 6:21 PM, Ulrich-Lorenz Schl??ter wrote:
>>>>> I checked perms as described.
>>>>> Turned up logging verbosity.
>>>>> "ods-ksmutil key list --verbose" does not spit out any keys.
>>>>>
>>>>
>>>> Did you perform the upgrade steps to get to 1.4.14? Where there
>>>> any anomalies?
>>>> If ods-ksmutil does not list keys, but there are no errors either
>>>> then I would suspect problems there. However if you increased logging
>>>> level there should be more explanatory help in the logging. Perhaps
>>>> in the syslog configuration these are repressed, or they end up in a
>>>> different log file.
>>>>
>>>> You can also try the command "ods-hsmutil list" to list keys. The
>>>> ods-ksmutil lists keys as known to OpenDNSSEc, ods-hsmutil lists keys
>>>> as found in the HSM.
>>> I migrated to fedora 30 aarch64 as upgrading on centos seemed to much of
>>> a hassle.
>>> By now ods-ksmutil and ods-hsmutil both list keys.
>>> opendnssec is missing files in the /var/opendnssec/signed and
>>> /var/opendnssec/unsigned folder.
>>>
>>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de xfr packet
>>> parsed (res 5)
>>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
>>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
>>> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
>>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>>> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
>>> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> The problem is here. Check server TSIG-settings and adapters in addns.xml.
> I created new keys, changed from hmac-md5 to hmac-sha512, now I get:
> unable to sign request: tsig unknown algorithm hmac-sha512
>
> I don't see any obvious error in my addns.xml. The opendnssec-in part
> seemed working before, because there are files in /var/opendnssec/tmp
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Adapter>
> <DNS>
> <TSIG>
> <Name>opendnssec-in</Name>
> <Algorithm>hmac-sha512</Algorithm>
> <!-- base64 encoded secret -->
> <Secret>****************</Secret>
> </TSIG>
> <TSIG>
> <Name>opendnssec-out</Name>
> <Algorithm>hmac-sha512</Algorithm>
> <!-- base64 encoded secret -->
> <Secret>****************</Secret>
> </TSIG>
>
> <Inbound>
> <!-- Address of host to request XFR from -->
> <RequestTransfer>
> <!-- Send request to 127.0.0.1 on the default port 53 -->
> <Remote>
> <Address>127.0.0.1</Address>
> <Port>53</Port>
> <Key>opendnssec-in</Key>
> </Remote>
> </RequestTransfer>
>
> <!-- Allow NOTIFY messages from host -->
> <AllowNotify>
> <Peer>
> <Prefix>127.0.0.1</Prefix>
> </Peer>
> </AllowNotify>
> </Inbound>
>
> <Outbound>
> <!-- Provide XFR to host -->
> <ProvideTransfer>
> <Peer>
> <Prefix>127.0.0.1</Prefix>
> <Key>opendnssec-out</Key>
> </Peer>
> </ProvideTransfer>
>
> <!-- Send NOTIFY messages to host -->
> <Notify>
> <Remote>
> <Address>127.0.0.1</Address>
> <Port>53</Port>
> </Remote>
> </Notify>
> </Outbound>
> </DNS>
> </Adapter>
A restart resolved "tsig unknown algorithm hmac-sha512"
I now get formerr again.
Regards
More information about the Opendnssec-user
mailing list