Hi Stephane,
Just restart ods-signerd. I suffer from same bug, it happens when ODS generates a new key automatically with key rollovers. I've debugged and troubleshooted this issue even with our support partners but couldn't find a fix. It would great if someone who has an idea what the fix could be who can help us. Our setup is ODS running on Centos 7 boxes with Thales HSMs as backend. To make it happen less, I pregenerate ZSKs and leave them in our storage, and then restart ods-signerd after generating the keys. It will give you a peace of mind for a while, until the key storage runs out and a rollover will generate a new key, in which case you'll have to restart ods-signerd again. HTH Kareem. On 12/02/2019 10:09, Stephane Bortzmeyer wrote: > One of my zones (I have several on the same OpenDNS instance, the > others seem to work) is no longer signed. The log says: > > Feb 12 11:00:47 server ods-signerd[472]: ObjectFile.cpp(122): The attribute > does not exist: 0x00000002 > Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: key > 548a9238dd2b608c488ddb6ba08796fb not found > Feb 12 11:00:47 server ods-signerd[472]: [hsm] hsm_get_dnskey(): Got NULL key > Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: hsm failed > to create dnskey > Feb 12 11:00:47 server ods-signerd[472]: [zone] unable to publish dnskeys for > zone cyberstructure.fr: error creating dnskey > Feb 12 11:00:47 server ods-signerd[472]: [tools] unable to read zone > cyberstructure.fr: failed to publish dnskeys (General error) > Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] CRITICAL: failed to sign > zone cyberstructure.fr: General error > Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] backoff task [read] for > zone cyberstructure.fr with 3600 seconds > > Checking the keys: > > % sudo ods-enforcer key list --zone cyberstructure.fr --verbose > Keys: > Zone: Keytype: State: Date of next transition: > Size: Algorithm: CKA_ID: Repository: KeyTag: > cyberstructure.fr ZSK retire 2019-02-23 10:46:20 > 1024 8 8c88bea6d5f6ccefec67648a37ef6b86 SoftHSM 14454 > cyberstructure.fr KSK active 2019-02-23 10:46:20 > 2048 8 2d63a8cc9f68602d5b98f2bcb2714119 SoftHSM 63130 > cyberstructure.fr ZSK ready 2019-02-23 10:46:20 > 1024 8 548a9238dd2b608c488ddb6ba08796fb SoftHSM 17148 > key list completed in 0 seconds. > > I see that the "not found" key is the current ZSK, which is bad. > > First, an emergency: how to solve the problem before the expiration of > signatures? Can I force a "rollover" of the ZSK and, if so, how? > > Then, longer term: what happened? > > OpenDNSSEC 2.0.4 running on Debian "stretch" (stable). "HSM" is > SoftHSM 2.2.0. > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Abdulkareem H. Ali Operations Team Leader CentralNic Group PLC London Stock Exchange Symbol: CNIC +44 20 3388 0600 www.CentralNic.com CentralNic Group PLC is a company registered in England and Wales with company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R 6AR. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
