[Opendnssec-user] [hsm] unable to get key
Berry van Halderen
berry at nlnetlabs.nl
Fri Apr 16 07:13:31 UTC 2021
On 2021-04-15 22:37, Michael Grimm wrote:
> Berry van Halderen <berry at nlnetlabs.nl> wrote
>> On 2021-04-15 21:29, Michael Grimm via Opendnssec-user wrote:
> here ;-)
Yep, that's the way I expected it to be. I'll harden the signer for it.
>> I suspect this is an old key that was removed and with a restart there
>> are still
>> old signatures of this key around. A ods-signer clear <zone> will
>> repair the issue,
>> but I'd like to harden the signer to not care about too agressive key
> I did try 'ods-signer clear <zone>' for a domain not in use but part
> of opendnssec2:
> | Internal zone information about another-example.tld cleared
> But I can still find the complained key in:
>>> But why does the signer looks for keys not available in the hsm
>> Probably because there are still signatures with this key.
> I have restarted that jail numerous times after my manual purge and
> never ran into this issue.
> My ZSK rollover completed last week. Thus, that key shouldn't be in
> use any longer.
> And, I had some signing going in the last day. I had had to update my
> zones due to dkim and dmarc addition.
> No error messages at that time.
> But anyway, how can I find out?
>>> Any ideas regarding this and how to debug this issue
>> See above ;-)
> That didn't work ;-)
> Would it be an option to remove those no longare available Locator
> entries in /usr/local/var/opendnssec/signconf/ manually (by
That will help, but I would remove them just once by editing it.
Next step of the enforcer would be to remove those entries, so they
shouldn't come back, and I'll have a hardenend signer for you then
For now, just remove the keys from the signconf and perform a
ods-signer update --all
More information about the Opendnssec-user