[Opendnssec-user] [hsm] unable to get key
Michael Grimm
trashcan at ellael.org
Thu Apr 15 21:18:06 UTC 2021
Michael Grimm via Opendnssec-user <opendnssec-user at lists.opendnssec.org> wrote:
>
> Berry van Halderen <berry at nlnetlabs.nl> wrote:
[I forgot to mention]
>> I suspect this is an old key that was removed and with a restart there are still
>> old signatures of this key around. A ods-signer clear <zone> will repair the issue,
>> but I'd like to harden the signer to not care about too agressive key purging.
>
> I did try 'ods-signer clear <zone>' for a domain not in use but part of opendnssec2:
> | Internal zone information about another-example.tld cleared
>
> But I can still find the complained key in:
> /usr/local/var/opendnssec/signconf/another-example.tld.xml: <Locator>df0e8bd101258e85364846f5b3bfea06</Locator>
And the relevant part in ods.log is:
Apr 15 22:30:05 dns2 ods-signerd[56679]: [cmdhandler] internal zone information about another-example.tld.xml cleared
Apr 15 22:30:05 dns2 ods-signerd[56679]: [signconf] zone another-example.tld.xml signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[datecounter]
Apr 15 22:30:05 dns2 ods-signerd[56679]: [zone] unable to update zone another-example.tld.xml soa serial: failed to find soa rrset
Apr 15 22:30:05 dns2 ods-signerd[56679]: [worker[2]] unable to sign zone another-example.tld.xml: failed to increment serial
Apr 15 22:30:05 dns2 ods-signerd[56679]: [worker[2]] CRITICAL: failed to sign zone another-example.tld.xml: General error
>>> Any ideas regarding this and how to debug this issue
>>
>> See above ;-)
>
> That didn't work ;-)
What I meant is 'ods-signer clear <zone>'.
Regards,
Michael
More information about the Opendnssec-user
mailing list