One of my zones (I have several on the same OpenDNS instance, the others seem to work) is no longer signed. The log says:
Feb 12 11:00:47 server ods-signerd[472]: ObjectFile.cpp(122): The attribute does not exist: 0x00000002 Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: key 548a9238dd2b608c488ddb6ba08796fb not found Feb 12 11:00:47 server ods-signerd[472]: [hsm] hsm_get_dnskey(): Got NULL key Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: hsm failed to create dnskey Feb 12 11:00:47 server ods-signerd[472]: [zone] unable to publish dnskeys for zone cyberstructure.fr: error creating dnskey Feb 12 11:00:47 server ods-signerd[472]: [tools] unable to read zone cyberstructure.fr: failed to publish dnskeys (General error) Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] CRITICAL: failed to sign zone cyberstructure.fr: General error Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] backoff task [read] for zone cyberstructure.fr with 3600 seconds Checking the keys: % sudo ods-enforcer key list --zone cyberstructure.fr --verbose Keys: Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag: cyberstructure.fr ZSK retire 2019-02-23 10:46:20 1024 8 8c88bea6d5f6ccefec67648a37ef6b86 SoftHSM 14454 cyberstructure.fr KSK active 2019-02-23 10:46:20 2048 8 2d63a8cc9f68602d5b98f2bcb2714119 SoftHSM 63130 cyberstructure.fr ZSK ready 2019-02-23 10:46:20 1024 8 548a9238dd2b608c488ddb6ba08796fb SoftHSM 17148 key list completed in 0 seconds. I see that the "not found" key is the current ZSK, which is bad. First, an emergency: how to solve the problem before the expiration of signatures? Can I force a "rollover" of the ZSK and, if so, how? Then, longer term: what happened? OpenDNSSEC 2.0.4 running on Debian "stretch" (stable). "HSM" is SoftHSM 2.2.0. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
