Michael Grimm via Opendnssec-user <[email protected]> wrote: > > Berry van Halderen <[email protected]> wrote:
[I forgot to mention] >> I suspect this is an old key that was removed and with a restart there are >> still >> old signatures of this key around. A ods-signer clear <zone> will repair >> the issue, >> but I'd like to harden the signer to not care about too agressive key >> purging. > > I did try 'ods-signer clear <zone>' for a domain not in use but part of > opendnssec2: > | Internal zone information about another-example.tld cleared > > But I can still find the complained key in: > /usr/local/var/opendnssec/signconf/another-example.tld.xml: > <Locator>df0e8bd101258e85364846f5b3bfea06</Locator> And the relevant part in ods.log is: Apr 15 22:30:05 dns2 ods-signerd[56679]: [cmdhandler] internal zone information about another-example.tld.xml cleared Apr 15 22:30:05 dns2 ods-signerd[56679]: [signconf] zone another-example.tld.xml signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[datecounter] Apr 15 22:30:05 dns2 ods-signerd[56679]: [zone] unable to update zone another-example.tld.xml soa serial: failed to find soa rrset Apr 15 22:30:05 dns2 ods-signerd[56679]: [worker[2]] unable to sign zone another-example.tld.xml: failed to increment serial Apr 15 22:30:05 dns2 ods-signerd[56679]: [worker[2]] CRITICAL: failed to sign zone another-example.tld.xml: General error >>> Any ideas regarding this and how to debug this issue >> >> See above ;-) > > That didn't work ;-) What I meant is 'ods-signer clear <zone>'. Regards, Michael _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
