[Opendnssec-user] [EXT] CRITICAL: failed to sign zone

Ulrich-Lorenz Schlüter audiomobster at gmail.com
Mon Aug 19 13:13:11 UTC 2019 

Am 19.08.19 um 14:41 schrieb Andrew Ivanov:
> On Mon, Aug 19, 2019 at 02:05:37PM +0200, Ulrich-Lorenz Schl??ter wrote:
>> Am 19.08.19 um 11:17 schrieb Andrew Ivanov:
>>> On Sat, Aug 17, 2019 at 11:04:58AM +0200, Ulrich-Lorenz Schl??ter wrote:
>>>> Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen:
>>>>> On 8/16/19 6:21 PM, Ulrich-Lorenz Schl??ter wrote:
>>>>>> I checked perms as described.
>>>>>> Turned up logging verbosity.
>>>>>> "ods-ksmutil key list --verbose" does not spit out any keys.
>>>>>>
>>>>>
>>>> parsed (res 5)
>>>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
>>>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
>>>> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
>>>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>>>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>>>> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
>>>> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> The problem is here. Check server TSIG-settings and adapters in addns.xml.
>> I created new keys, changed from hmac-md5 to hmac-sha512, now I get:
>> unable to sign request: tsig unknown algorithm hmac-sha512
> 
> I guess, your current version of opendnssec does not support optional hmac algorithms.
> Try to use hmac-sha256. This algorithm is mandatory.
I changed to hmac-sha256.
Still got the formerr
Additionally to /var/log/opendnssec.log there are logs in
/var/log/messages as well.
Aug 19 14:58:38 one ods-signerd[8391]: [worker[1]] sign zone sycosys.de
Aug 19 14:58:38 one ods-signerd[8391]: [worker[2]] sign zone
schlueter.family
Aug 19 14:58:38 one ods-signerd[8391]: [zone] zone sycosys.de set soa
serial to 1566219518
Aug 19 14:58:38 one ods-signerd[8391]: [zone] zone schlueter.family set
soa serial to 1566219518
Aug 19 14:58:38 one ods-signerd[8391]: [worker[2]] write zone
schlueter.family
Aug 19 14:58:38 one ods-signerd[8391]: [tools] skip write zone
schlueter.family serial 1566219518 (zone not changed)
Aug 19 14:58:38 one ods-signerd[8391]: [worker[1]] write zone sycosys.de
Aug 19 14:58:38 one ods-signerd[8391]: [tools] skip write zone
sycosys.de serial 1566219518 (zone not changed)

More information about the Opendnssec-user mailing list