Trouble with inline-signing mode

Thu, 02 Jun 2016 21:05:54 -0700 

Hello,
We’re testing DNSSEC system with bind-9.10.3-P4, openssl-1.0.1t and Utimaco HSM.
My system can operate normally in manual signing mode. But when I change to 
inline signing mode, the system cannot resign domain zones after 
dnssec-loadkeys-interval (60 minutes by default).
I configure zone options in named.conf to inline-signing mode:
zone "dnssec.test" in {
            type master;
            file "db.dnssec.test";
key-directory "/data/dnssec/keys/dnssec.test/";
auto-dnssec maintain;
inline-signing yes;
};

Change openssl.cnf to support automatically resign domain zones:
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = xxxxx

And then I restart named and the system can resign automatically when new 
records inserted via nsupdate command. But after dnssec-loadkeys-interval (60 
minutes by default), bind cannot load private key from HSM to resign zone.

This is log of bind:
02-Jun-2016 11:47:28.557 general: info: zone dnssec.test/IN (signed): loaded 
serial 2016051809
02-Jun-2016 11:47:28.558 general: error: zone dnssec.test/IN (signed): 
receive_secure_serial: unchanged
02-Jun-2016 11:47:28.558 general: info: zone dnssec.test/IN (signed): 
reconfiguring zone keys
02-Jun-2016 11:55:14.046 general: info: received control channel command 
'signing -list dnssec.test'
02-Jun-2016 12:00:49.378 general: info: received control channel command 
'loadkeys dnssec.test'
02-Jun-2016 12:00:49.378 general: info: zone dnssec.test/IN (signed): 
reconfiguring zone keys
02-Jun-2016 12:00:49.383 general: info: zone dnssec.test/IN (signed): next key 
event: 02-Jun-2016 13:00:49.378
02-Jun-2016 13:00:49.378 general: info: zone dnssec.test/IN (signed): 
reconfiguring zone keys
02-Jun-2016 13:00:49.379 general: warning: ENGINE_load_private_key failed (not 
found)
02-Jun-2016 13:00:49.380 general: info: error:26096080:engine 
routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
02-Jun-2016 13:00:49.380 general: warning: dns_dnssec_keylistfromrdataset: 
error reading private key file dnssec.test/RSASHA256/4494: not found

So what's wrong here? Thanks in advance for any help.
Kien Nguyen

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to