[Opendnssec-user] [hsm] unable to get key

Berry van Halderen berry at nlnetlabs.nl
Fri Apr 16 07:13:31 UTC 2021 

On 2021-04-15 22:37, Michael Grimm wrote:
> Berry van Halderen <berry at nlnetlabs.nl> wrote
>> On 2021-04-15 21:29, Michael Grimm via Opendnssec-user wrote:
>       <Key>
>         <Flags>256</Flags>
>         <Algorithm>13</Algorithm>
>         <Locator>c9b713853a6757d0ac806ddc6384968c</Locator>
> 
> here ;-)
> 
>       </Key>

Yep, that's the way I expected it to be.  I'll harden the signer for it.

>> I suspect this is an old key that was removed and with a restart there 
>> are still
>> old signatures of this key around.  A ods-signer clear <zone> will 
>> repair the issue,
>> but I'd like to harden the signer to not care about too agressive key 
>> purging.
> 
> I did try 'ods-signer clear <zone>' for a domain not in use but part
> of opendnssec2:
> | Internal zone information about another-example.tld cleared
> 
> But I can still find the complained key in:
> /usr/local/var/opendnssec/signconf/another-example.tld.xml:
> <Locator>df0e8bd101258e85364846f5b3bfea06</Locator>
> 
> 
>>> But why does the signer looks for keys not available in the hsm 
>>> database?
>> 
>> Probably because there are still signatures with this key.
> 
> I have restarted that jail numerous times after my manual purge and
> never ran into this issue.
> My ZSK rollover completed last week. Thus, that key shouldn't be in
> use any longer.
> And, I had some signing going in the last day. I had had to update my
> zones due to dkim and dmarc addition.
> No error messages at that time.
> But anyway, how can I find out?
> 
>>> Any ideas regarding this and how to debug this issue
>> 
>> See above ;-)
> 
> That didn't work ;-)
> Would it be an option to remove those no longare available Locator
> entries in /usr/local/var/opendnssec/signconf/ manually (by
> scripting)?

That will help, but I would remove them just once by editing it.
Next step of the enforcer would be to remove those entries, so they
shouldn't come back, and I'll have a hardenend signer for  you then
anyway.

For now, just remove the keys from the signconf and perform a

   ods-signer update --all

\Berry

More information about the Opendnssec-user mailing list