[Opendnssec-user] [hsm] unable to get key

Michael Grimm trashcan at ellael.org
Thu Apr 15 21:18:06 UTC 2021

Michael Grimm via Opendnssec-user <opendnssec-user at lists.opendnssec.org> wrote:
> Berry van Halderen <berry at nlnetlabs.nl> wrote:

[I forgot to mention]

>> I suspect this is an old key that was removed and with a restart there are still
>> old signatures of this key around.  A ods-signer clear <zone> will repair the issue,
>> but I'd like to harden the signer to not care about too agressive key purging.
> I did try 'ods-signer clear <zone>' for a domain not in use but part of opendnssec2:
> | Internal zone information about another-example.tld cleared
> But I can still find the complained key in:
> /usr/local/var/opendnssec/signconf/another-example.tld.xml:        <Locator>df0e8bd101258e85364846f5b3bfea06</Locator>

And the relevant part in ods.log is:

Apr 15 22:30:05 dns2 ods-signerd[56679]: [cmdhandler] internal zone information about another-example.tld.xml cleared
Apr 15 22:30:05 dns2 ods-signerd[56679]: [signconf] zone another-example.tld.xml signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[datecounter]
Apr 15 22:30:05 dns2 ods-signerd[56679]: [zone] unable to update zone another-example.tld.xml soa serial: failed to find soa rrset
Apr 15 22:30:05 dns2 ods-signerd[56679]: [worker[2]] unable to sign zone another-example.tld.xml: failed to increment serial
Apr 15 22:30:05 dns2 ods-signerd[56679]: [worker[2]] CRITICAL: failed to sign zone another-example.tld.xml: General error

>>> Any ideas regarding this and how to debug this issue
>> See above ;-)
> That didn't work ;-)

What I meant is 'ods-signer clear <zone>'.


More information about the Opendnssec-user mailing list