On 10/06/14 15:40, David Peall wrote: > Trying a key rollover I get the following: > ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not repository. > > Run as the opendnssec user: > ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851 > thales 85d783cf86e25fe6c9bce3cbac1cf851 RSA/2048 > > Something hinky going on?
Clearly the key _does_ exist in the HSM and I assume that the enforcer is misinterpreting an error return from the thales box... Is anything being logged from the HSM side that might help? > Regards > — > David Peall > > On 10 Jun 2014, at 4:22 PM, David Peall <da...@dnservices.co.za> wrote: > >> Hi All >> >> As Mark has said logged in as the signer user we are able to list the >> “missing” key. >> <zone> KSK active 2015-06-10 15:19:39 >> (retire) 2048 8 994410881c1e66e2d075ed1ed1756679 thales >> 15664 >> >> Anything else we can try look for? >> >> Regards >> — >> David Peall >> >> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <s...@nominet.org.uk> wrote: >> >>> On 09/06/14 11:30, David Peall wrote: >>>> But then: >>>> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 >>>> not found >>>> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error >>>> creating dnskey >>>> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys >>>> (General error) >>>> >>>> But: >>>> ods-ksmutil key list --verbose >>>> Zone: Keytype: State: Date of next >>>> transition (to): Size: Algorithm: CKA_ID: >>>> Repository: Keytag: >>>> <zone> KSK publish 2014-06-10 02:17:13 >>>> (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales >>>> 15664 >>>> >>>> Is this because the key is not active? is this a bug? >>> Hi David, >>> >>> The state of the key is not causing this... Does the signer run as the >>> same user/group as the enforcer? >>> >>>> Also get this: >>>> ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as >>>> there are no keys in the 'ready' state; ods-enforcerd will try again when >>>> it runs next >>>> >>> This is just a warning that you have to wait for the KSK and signatures >>> to propagate before the key is considered "ACTIVE". The wording is not >>> ideal for the initial signing situation, but makes more sense when >>> describing subsequent rolls. >>> >>> Sion >>> _______________________________________________ >>> Opendnssec-user mailing list >>> Opendnssec-user@lists.opendnssec.org >>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >> _______________________________________________ >> Opendnssec-user mailing list >> Opendnssec-user@lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
