On 2021-04-15 22:37, Michael Grimm wrote:
Berry van Halderen <be...@nlnetlabs.nl> wrote
On 2021-04-15 21:29, Michael Grimm via Opendnssec-user wrote:
<Key>
<Flags>256</Flags>
<Algorithm>13</Algorithm>
<Locator>c9b713853a6757d0ac806ddc6384968c</Locator>
here ;-)
</Key>
Yep, that's the way I expected it to be. I'll harden the signer for it.
I suspect this is an old key that was removed and with a restart there
are still
old signatures of this key around. A ods-signer clear <zone> will
repair the issue,
but I'd like to harden the signer to not care about too agressive key
purging.
I did try 'ods-signer clear <zone>' for a domain not in use but part
of opendnssec2:
| Internal zone information about another-example.tld cleared
But I can still find the complained key in:
/usr/local/var/opendnssec/signconf/another-example.tld.xml:
<Locator>df0e8bd101258e85364846f5b3bfea06</Locator>
But why does the signer looks for keys not available in the hsm
database?
Probably because there are still signatures with this key.
I have restarted that jail numerous times after my manual purge and
never ran into this issue.
My ZSK rollover completed last week. Thus, that key shouldn't be in
use any longer.
And, I had some signing going in the last day. I had had to update my
zones due to dkim and dmarc addition.
No error messages at that time.
But anyway, how can I find out?
Any ideas regarding this and how to debug this issue
See above ;-)
That didn't work ;-)
Would it be an option to remove those no longare available Locator
entries in /usr/local/var/opendnssec/signconf/ manually (by
scripting)?
That will help, but I would remove them just once by editing it.
Next step of the enforcer would be to remove those entries, so they
shouldn't come back, and I'll have a hardenend signer for you then
anyway.
For now, just remove the keys from the signconf and perform a
ods-signer update --all
\Berry
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
