[Opendnssec-user] [hsm] unable to get key

Berry van Halderen berry at nlnetlabs.nl
Mon Aug 23 09:14:27 UTC 2021

On 2021-08-22 23:24, Randy Bush via Opendnssec-user wrote:
>> I'm looking for both cause and quick fix.  For either, can you
>> perform a
>>   ods-enforcer key list -d | grep eae33574e49b6b581e348f6252fb86a5
>     # ods-enforcer key list -d | grep eae33574e49b6b581e348f6252fb86a5
>     #

Good, that confirms my suspicion.

>> I'm wondering whether this key is being retired.
>> In which case a patch fix might be to remove the signconf file
>> for this zone;
>>   rm /var/opendnssec/signconf/hipster.biz.xml
>> and regenerate this:
>>   ods-enforcer signconf
> it'a all zones.  i could do it for all?  maybe experiment with this one
> first.
>     # rm /usr/local/var/opendnssec/signconf/hipster.biz.xml
>     # ods-enforcer signconf
>     # ls -l /usr/local/var/opendnssec/signconf/hipster.biz.xml
>     -rw-r--r--  1 opendnssec  opendnssec  971 Aug 22 20:54
> /usr/local/var/opendnssec/signconf/hipster.biz.xml
> removing that one and `ods-enforcer signconf` either stopped the 
> problem
> or broke logging :)

I think it stopped the problem, and is something that should have done 
the enforcer, hence a bug.  I'll try to reproduce and fix that late
afternoon.  Meanwhile you can fix your setup by doing this to all
zones.  These signconf files are designed to be able to be thrown away
and generated if desired, so there will be no harm.


More information about the Opendnssec-user mailing list