Re: [Opendnssec-user] Key not found

Tue, 10 Jun 2014 07:42:13 -0700 

Trying a key rollover I get the following:
ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository.

Run as the opendnssec user:
ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851   
thales                85d783cf86e25fe6c9bce3cbac1cf851  RSA/2048  

Something hinky going on?

Regards
—
David Peall

On 10 Jun 2014, at 4:22 PM, David Peall <da...@dnservices.co.za> wrote:

> Hi All
> 
> As Mark has said logged in as the signer user we are able to list the 
> “missing” key.
> <zone>                        KSK           active    2015-06-10 15:19:39 
> (retire)   2048    8           994410881c1e66e2d075ed1ed1756679  thales       
>                      15664
> 
> Anything else we can try look for?
> 
> Regards
> —
> David Peall
> 
> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <s...@nominet.org.uk> wrote:
> 
>> On 09/06/14 11:30, David Peall wrote:
>>> 
>>> But then:
>>> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 
>>> not found
>>> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error 
>>> creating dnskey
>>> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys 
>>> (General error)
>>> 
>>> But: 
>>> ods-ksmutil key list --verbose
>>> Zone:                           Keytype:      State:    Date of next 
>>> transition (to):  Size:   Algorithm:  CKA_ID:                           
>>> Repository:                       Keytag:
>>> <zone>                        KSK           publish   2014-06-10 02:17:13 
>>> (ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales     
>>>                        15664
>>> 
>>> Is this because the key is not active? is this a bug?
>> Hi David,
>> 
>> The state of the key is not causing this... Does the signer run as the
>> same user/group as the enforcer?
>> 
>>> Also get this:
>>> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as 
>>> there are no keys in the 'ready' state; ods-enforcerd will try again when 
>>> it runs next
>>> 
>> 
>> This is just a warning that you have to wait for the KSK and signatures
>> to propagate before the key is considered "ACTIVE". The wording is not
>> ideal for the initial signing situation, but makes more sense when
>> describing subsequent rolls.
>> 
>> Sion
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user@lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user@lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to