Hi Klaus, I am glad you found the cause of the problem and shared this on the list.
Best regards, Matthijs On 11/19/2013 10:19 AM, Klaus Darilion wrote: > Update: we have found the problem. > > The problem was, that the enforcer was running as user 'opendnssec' but > the signer ran as user 'root'. Therefore, the enforcer could not notify > the signer about the signconf update. > > The relevant log message was "Could not call signer engine". > > Obviously the signer re-reads the signconf not only on "update", but > also on restart. This makes sense, as the singer could have missed an > "update" while it was not running. > > Thanks for the troubleshooting hints > Klaus > > On 15.11.2013 13:42, Klaus Darilion wrote: >> >> >> On 14.11.2013 15:13, Matthijs Mekking wrote: >>> On 11/14/2013 02:26 PM, Klaus Darilion wrote: >>> >>>>>> Meanwhile I restarted the ods-signer daemon and after the next zone >>>>>> file >>>>>> update, ods signed with the correct key. So for now it is fixed, >>>>>> but do >>>>>> you have any ideas why the signer still used the old KSK after the >>>>>> KSK >>>>>> rollover? >>>>> >>>>> Can you perhaps provide logs (off list if you wish)? >>>> >>>> We have syslog logging, but this is rather quiet. Is there anything >>>> special for which I should look? >>> >>> I Just wanted to make sure no warnings or errors were logged. >> >> I just checked the logs. The enforcer logged the rollovers (eg. waiting >> for ds-seen, ...), but no errors or warnings. Also the signer did no >> logged any warnings/errors. We triggered both - a manual ZSK rollover, >> followed by a manual KSK rollover and both showed the same problem. The >> enforcer switched to the new key, but the signer still used the old key. >> >> I also checked the signed zone files (we backup them after every signing >> run): The new KSK and the new ZSK newer showed up in the zone file, only >> when I restarted the signer daemon, it switched from the old to the new >> keys. >> >> regards >> Klaus >> _______________________________________________ >> Opendnssec-user mailing list >> [email protected] >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
