On 2021-05-03 15:01, Colin Spensley via Opendnssec-user wrote:
Thank you. I should have been more diligent/comprehensive previously.
The immediate error is that ods-signer does not find a key (id:
ca7e41658c07917f82ca1a77794a235d) that it is expecting.
May 1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key:
key ca7e41658c07917f82ca1a77794a235d not found
May 1 05:35:11 my_server ods-signerd[1960]: [hsm] hsm_get_dnskey():
Got NULL key
May 1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key:
hsm failed to create dnskey
May 1 05:35:11 my_server ods-signerd[1960]: [zone] unable to prepare
signing keys for zone my_domain.tld: error getting dnskey
May 1 05:35:11 my_server ods-signerd[1960]: [worker[1]] CRITICAL:
failed to sign zone my_domain.tld: General error
May 1 05:35:11 my_server ods-signerd[1960]: back-off task [sign] for
zone my_domain.tld with 3600 seconds
Looking back through the logs however, this is because ods-enforcer
purged that key from the HSM two weeks ago. The signconf file appears
not to have been correspondingly updated though and is therefore now
inconsistent. So I now have:-
In signconf/<my_domain.tld>.xml
------------------------
<Keys>
<TTL>PT1H</TTL>
<Key>
<Flags>257</Flags>
<Algorithm>13</Algorithm>
<Locator>4017f49c5510cd7747298b8cf5b07c63</Locator>
<KSK/>
<Publish/>
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>13</Algorithm>
<Locator>ca7e41658c07917f82ca1a77794a235d</Locator>
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>13</Algorithm>
<Locator>87fc66abfbe9fbb4f2eb97b02f31b0f9</Locator>
<ZSK/>
<Publish/>
</Key>
</Keys>
From ods-enforcer key list -d
-----------------------------
my_domain.tld KSK omnipresent omnipresent
omnipresent NA 1 1 4017f49c5510cd7747298b8cf5b07c63
my_domain.tld ZSK NA omnipresent
NA omnipresent 1 1 87fc66abfbe9fbb4f2eb97b02f31b0f9
From log:
---------
Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer] update zone:
my_domain.tld
Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer]
removeDeadKeys deleting key: ca7e41658c07917f82ca1a77794a235d
Apr 21 19:09:56 my_server ods-enforcerd[1936]:
[hsm_key_factory_delete_key] looking for keys to purge from HSM
Apr 21 19:09:56 my_server ods-enforcerd[1936]:
[hsm_key_factory_get_key] removing key
ca7e41658c07917f82ca1a77794a235d from HSM
Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer]
removeDeadKeys: keys deleted from HSM: 1
Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer] update:
key_data_update() failed
Apr 21 19:09:57 my_server ods-enforcerd[1936]: [enforce_task] No
changes to signconf file required for zone my_domain.tld
I'm guessing the significant error is the key_data_update failure and
that it probably relates to the change made in 2.1.8.
I suspect that just manually forcing regeneration of the signconf
would correct the immediate failure but, as this is occurring on a
domain which is relatively unimportant for me, I would like to try to
understand how/why the situation has arisen and how to correct it
properly/elegantly. I'm also anxious to reassure myself that the same
error is not about to occur on other, more critical zones.
OpenDNSSEC 2.1.9 will come out today or early tomorrow with a fix for
this issue.
Meanwhile you can upgrade to the release candidate for it. This will
fix the
issue.
https://dist.opendnssec.org/source/testing/opendnssec-2.1.9rc1.tar.gz
This issue has been reported lately on the list and you situation seems
identical,
or at least resolves this issue. Please let me know it it works for
you, this
will expedite my work.
\Berry
On 03/05/2021 13:01, Berry van Halderen via Opendnssec-user wrote:
On 2021-05-03 13:39, Colin Spensley via Opendnssec-user wrote:
I have a zone managed by OpenDNSSEC 2 which now is not resolved by
validating resolvers. The reason appears to be that the RRSIG over
the
DNSKEY RRset has been allowed to expire by ods-signer.
Ie. (crudely obfuscated):-
my_domain.tld. 3600 IN RRSIG DNSKEY 13 3 3600
20210501213711 20210418073317 47867 my_domain.tld.
BIzcTyvmGi/OcLaBdXMExes/iyHkrUC1qOhg4W4ybcjsS/zAXz65NJBa
oojfCzX7gUo/DD9mXaMFZTyWm8iLpA==
The signer does run for the domain but does not regenerate this
signature.
Can anyone suggest what might be causing this error?
Your log should provide more information. There should be some
logging lines, probably in /var/log/messages indicating that
"ods-signer" has some error. I would suggest a grep ods-signer
/var/log/messages.
\Berry
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
