Hello, We’re testing DNSSEC system with bind-9.10.3-P4, openssl-1.0.1t and Utimaco HSM. My system can operate normally in manual signing mode. But when I change to inline signing mode, the system cannot resign domain zones after dnssec-loadkeys-interval (60 minutes by default). I configure zone options in named.conf to inline-signing mode: zone "dnssec.test" in { type master; file "db.dnssec.test"; key-directory "/data/dnssec/keys/dnssec.test/"; auto-dnssec maintain; inline-signing yes; };
Change openssl.cnf to support automatically resign domain zones: openssl_conf = openssl_def [ openssl_def ] engines = engine_section [ engine_section ] pkcs11 = pkcs11_section [ pkcs11_section ] PIN = xxxxx And then I restart named and the system can resign automatically when new records inserted via nsupdate command. But after dnssec-loadkeys-interval (60 minutes by default), bind cannot load private key from HSM to resign zone. This is log of bind: 02-Jun-2016 11:47:28.557 general: info: zone dnssec.test/IN (signed): loaded serial 2016051809 02-Jun-2016 11:47:28.558 general: error: zone dnssec.test/IN (signed): receive_secure_serial: unchanged 02-Jun-2016 11:47:28.558 general: info: zone dnssec.test/IN (signed): reconfiguring zone keys 02-Jun-2016 11:55:14.046 general: info: received control channel command 'signing -list dnssec.test' 02-Jun-2016 12:00:49.378 general: info: received control channel command 'loadkeys dnssec.test' 02-Jun-2016 12:00:49.378 general: info: zone dnssec.test/IN (signed): reconfiguring zone keys 02-Jun-2016 12:00:49.383 general: info: zone dnssec.test/IN (signed): next key event: 02-Jun-2016 13:00:49.378 02-Jun-2016 13:00:49.378 general: info: zone dnssec.test/IN (signed): reconfiguring zone keys 02-Jun-2016 13:00:49.379 general: warning: ENGINE_load_private_key failed (not found) 02-Jun-2016 13:00:49.380 general: info: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: 02-Jun-2016 13:00:49.380 general: warning: dns_dnssec_keylistfromrdataset: error reading private key file dnssec.test/RSASHA256/4494: not found So what's wrong here? Thanks in advance for any help. Kien Nguyen
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users