Hi I’m new to the list, just started working on our OpenDNSSEC project with Mark Elkins.
It seems to work if I generate the keys by hand. For example this is the error when there are no keys: ods-enforcerd: 2 zone(s) found on policy "zacr-nsec3" ods-enforcerd: 2 new KSK(s) (2048 bits) need to be created for policy zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0). ods-signerd: [hsm] libhsm connection opened succesfully ods-signerd: [engine] signer started (version 1.4.5), pid 15672 ods-signerd: [worker[1]] CRITICAL: failed to sign zone za: General error ods-signerd: [worker[1]] backoff task [configure] for zone za with 60 seconds ods-signerd: [worker[2]] CRITICAL: failed to sign zone web.za: General error ods-signerd: [worker[2]] backoff task [configure] for zone web.za with 60 seconds kernel: [687265.213229] ods-enforcerd[15667]: segfault at 0 ip 00007fcbed8feb14 sp 00007fff9687e0f0 error 4 in libcknfast.so[7fcbed855000+1ee000] I tried test the HSM and it appears to be working fine: /usr/bin/ods-hsmspeed -r thales Opening HSM Library... Generating temporary key... Temporary key created: 7edab7c41138f9ee88c3fc3bf6ec38d1 Signing 1 RRsets with RSA/SHA1 using 1 thread... Signer thread #0 started... Signer thread #0 done. Signing done. 1 thread, 1 signatures per thread, 165.89 sig/s (RSA 1024 bits) Deleting temporary key… I got the idea to create the keys by hand: ods-ksmutil key generate --policy zacr-nsec3 --interval 3D Key sharing is Off HSM opened successfully. Info: 2 zone(s) found on policy "zacr-nsec3” 2 new KSK(s) (2048 bits) need to be created for policy zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0). 2 new ZSK(s) (1024 bits) need to be created for policy zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0). *WARNING* This will create 2 KSKs (2048 bits) and 2 ZSKs (1024 bits) Are you sure? [y/N] y Created KSK size: 2048, alg: 8 with id: b2ef8697d6b69c563bbbe7240f19ea21 in repository: thales and database. Created KSK size: 2048, alg: 8 with id: d297acdb3da9c037a41a93c0bc759125 in repository: thales and database. Created ZSK size: 1024, alg: 8 with id: 37de55772bdd4d2dd7dc855718c76763 in repository: thales and database. Created ZSK size: 1024, alg: 8 with id: 994d1945737cc3a65f6cd60d8ed70031 in repository: thales and database. all done! hsm_close result: 0 Now running OpenDNSSEC it works: ods-signerd: [hsm] libhsm connection opened succesfully ods-signerd: [engine] signer started (version 1.4.5), pid 15782 ods-enforcerd: Zone web.za found. ods-enforcerd: Policy for web.za set to zacr-nsec3. ods-enforcerd: Config will be output to /var/opendnssec/signconf/web.za.xml. ods-enforcerd: ZSK key allocation for zone web.za: 1 key(s) allocated ods-enforcerd: KSK key allocation for zone web.za: 1 key(s) allocated ods-signerd: [signconf] zone za signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT604800S] DENIAL[PT604800S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime] ods-signerd: [signconf] zone web.za signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT604800S] DENIAL[PT604800S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime] ods-signerd: [namedb] zone za unable to use unixtime as serial: 1401279757 does not increase 2014030508. Serial set to 2014030509 ods-signerd: [STATS] za 2014030509 RR[count=135 time=0(sec)] NSEC3[count=3 time=0(sec)] RRSIG[new=10 reused=0 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] ods-signerd: [STATS] web.za 1401279757 RR[count=453 time=0(sec)] NSEC3[count=58 time=0(sec)] RRSIG[new=116 reused=0 time=1(sec) avg=116(sig/sec)] TOTAL[time=1(sec)] Regards — David Peall
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
