Hi Mark and David, All the problems you have reported points to issues with your HSM rather then a problem with OpenDNSSEC.
OpenDNSSEC can not recover from a state where the key was successfully created but is now missing in the HSM. If this is a test environment then you should test your setup with SoftHSM to just verify that your setup works and that there isnt any strange hardware problem. If this is your production environment I would suggest going unsigned until these problems have been resolved. I also suggest that you contact your HSM provider, maybe they can provide you with tools to debug the HSM so you can begin to locate the issue. Regards, Jerry -- Jerry Lundström - OpenDNSSEC Developer http://www.opendnssec.org/ On 10 jun 2014, at 16:40, David Peall <da...@dnservices.co.za> wrote: Trying a key rollover I get the following: ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository. Run as the opendnssec user: ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851 thales 85d783cf86e25fe6c9bce3cbac1cf851 RSA/2048 Something hinky going on? Regards — David Peall On 10 Jun 2014, at 4:22 PM, David Peall <da...@dnservices.co.za> wrote: Hi All As Mark has said logged in as the signer user we are able to list the “missing” key. <zone> KSK active 2015-06-10 15:19:39 (retire) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664 Anything else we can try look for? Regards — David Peall On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <s...@nominet.org.uk> wrote: On 09/06/14 11:30, David Peall wrote: But then: ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error) But: ods-ksmutil key list --verbose Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: <zone> KSK publish 2014-06-10 02:17:13 (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664 Is this because the key is not active? is this a bug? Hi David, The state of the key is not causing this... Does the signer run as the same user/group as the enforcer? Also get this: ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next This is just a warning that you have to wait for the KSK and signatures to propagate before the key is considered "ACTIVE". The wording is not ideal for the initial signing situation, but makes more sense when describing subsequent rolls. Sion _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
