Hi After setting up a new instance of opendnssec, I'm having some issues when adding new zones. This is with opendnssec-1.2.0rc2 (initial install was 1.2.0rc1 so no 1.1->1.2. db conversion needed) and softhsm 1.20 as the pkcs#11 provider.
I raise signer logging verbosity to 6 (after some earlier mostly
non-related thread), add a zone with "ods-ksmutil zone add --zone $zone
--policy $policy" which generates no output in the syslog. Then I wait
until the enforcer comes by on its regular interval.
After the first run, ods-ksmutil key list -v shows:
example.com KSK publish 2010-12-10
14:46:22 42c301bb477f383991323c08c02d40dc SoftHSM NOT IN repository
example.com ZSK active 2011-01-09
11:46:22 f349cc85e0e1823f511f2467af4e75ff SoftHSM NOT IN repository
And logging reveals:
2010-12-10T11:46:22+0100 [ods-signerd] publish dnskeys to zone example.com
2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file
example.com.dnskeys for writing
2010-12-10T11:46:22+0100 [ods-signerd] could not find key
42c301bb477f383991323c08c02d40dc
2010-12-10T11:46:22+0100 [ods-signerd] error creating DNSKEY for key
42c301bb477f383991323c08c02d40dc
2010-12-10T11:46:22+0100 [ods-signerd] error adding DNSKEYs to zone
example.com
2010-12-10T11:46:22+0100 [ods-signerd] task [add dnskeys to zone
example.com] failed
(Complete logs are attached)
I can reproduce this without any problems.
I also just noticed that the key id (42c301bb477f383991323c08c02d40dc)
keeps coming back. I can remove a zone (ods-ksmutil zone delete) that
has this issue, remove all related files from /var/lib/opendnssec and
restart the suite. When I add a new zone with that was never used before
(example.com), the signer comes back again with this same key id.
Another note is that when I try to remove the broken zone, I receive an
error that seems to indicate that the database is not correctly setup:
ods-ksmutil zone delete --zone example.com
SQLite database set to: /var/lib/opendnssec/kasp.db
zonelist filename set to /etc/opendnssec/zonelist.xml.
ERROR: error executing SQL - no such column: STATE
Zone list updated: 1 removed, 0 added, 0 updated.
Configurations updated: 0; errors: 0; unchanged: 1.
So, how do I recover from this issue? Note that there is a production
zone (however not very important) currently being signed by this setup
correctly, so starting from scratch is really a last resort.
--
Regards,
Tom
2010-12-10T11:46:22+0100 [ods-enforcerd] Reading config "/etc/opendnssec/conf.xml" 2010-12-10T11:46:22+0100 [ods-enforcerd] Reading config schema "/usr/share/opendnssec/conf.rng" 2010-12-10T11:46:22+0100 [ods-enforcerd] Communication Interval: 600 2010-12-10T11:46:22+0100 [ods-enforcerd] Using command: /usr/share/opendnssec/dnskey-mailer.sh root to submit DS records 2010-12-10T11:46:22+0100 [ods-enforcerd] SQLite database set to: /var/lib/opendnssec/kasp.db 2010-12-10T11:46:22+0100 [ods-enforcerd] Log User set to: local0 2010-12-10T11:46:22+0100 [ods-enforcerd] Switched log facility to: local0 2010-12-10T11:46:22+0100 [ods-enforcerd] Connecting to Database... 2010-12-10T11:46:22+0100 [ods-enforcerd] Policy dlv found. 2010-12-10T11:46:22+0100 [ods-enforcerd] Key sharing is Off. 2010-12-10T11:46:22+0100 [ods-enforcerd] No zones on policy dlv, skipping... 2010-12-10T11:46:22+0100 [ods-enforcerd] Purging keys... 2010-12-10T11:46:22+0100 [ods-enforcerd] Policy sidn found. 2010-12-10T11:46:22+0100 [ods-enforcerd] Key sharing is Off. 2010-12-10T11:46:22+0100 [ods-enforcerd] Purging keys... 2010-12-10T11:46:22+0100 [ods-enforcerd] zonelist filename set to /etc/opendnssec/zonelist.xml. 2010-12-10T11:46:22+0100 [ods-enforcerd] Zone tandemracen.nl found. 2010-12-10T11:46:22+0100 [ods-enforcerd] Policy for tandemracen.nl set to sidn. 2010-12-10T11:46:22+0100 [ods-enforcerd] Config will be output to /var/lib/opendnssec/signconf/tandemracen.nl.xml. 2010-12-10T11:46:22+0100 [ods-enforcerd] No change to: /var/lib/opendnssec/signconf/tandemracen.nl.xml 2010-12-10T11:46:22+0100 [ods-enforcerd] Zone example.com found. 2010-12-10T11:46:22+0100 [ods-enforcerd] Policy for example.com set to sidn. 2010-12-10T11:46:22+0100 [ods-enforcerd] Config will be output to /var/lib/opendnssec/signconf/example.com.xml. 2010-12-10T11:46:22+0100 [ods-enforcerd] INFO: Promoting ZSK from publish to active as this is the first pass for the zone 2010-12-10T11:46:22+0100 [ods-signerd] command handler 1 clients in progress... 2010-12-10T11:46:22+0100 [ods-signerd] command handler accept client 9 2010-12-10T11:46:22+0100 [ods-signerd] received command update example.com[18] 2010-12-10T11:46:22+0100 [ods-signerd] update command 2010-12-10T11:46:22+0100 [ods-signerd] cmdhandler: updating signer configuration (example.com) 2010-12-10T11:46:22+0100 [ods-signerd] zone example.com not found 2010-12-10T11:46:22+0100 [ods-signerd] update zone list 2010-12-10T11:46:22+0100 [ods-signerd] read zone list file /etc/opendnssec/zonelist.xml 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file /etc/opendnssec/zonelist.xml for reading 2010-12-10T11:46:22+0100 [ods-signerd] check config file: /etc/opendnssec/zonelist.xml, use rng file: /usr/share/opendnssec/zonelist.rng 2010-12-10T11:46:22+0100 [ods-signerd] create zone tandemracen.nl 2010-12-10T11:46:22+0100 [ods-signerd] create zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] no more zones 2010-12-10T11:46:22+0100 [ods-signerd] add zone example.com to zone list 2010-12-10T11:46:22+0100 [ods-signerd] update zone list 2010-12-10T11:46:22+0100 [ods-signerd] update zone example.com (signconf file /var/lib/opendnssec/signconf/example.com.xml) 2010-12-10T11:46:22+0100 [ods-signerd] load zone example.com signconf /var/lib/opendnssec/signconf/example.com.xml 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file /var/lib/opendnssec/signconf/example.com.xml for reading 2010-12-10T11:46:22+0100 [ods-signerd] check config file: /var/lib/opendnssec/signconf/example.com.xml, use rng file: /usr/share/opendnssec/signconf.rng 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file /var/lib/opendnssec/signconf/example.com.xml for reading 2010-12-10T11:46:22+0100 [ods-signerd] create key list 2010-12-10T11:46:22+0100 [ods-signerd] add key locator 42c301bb477f383991323c08c02d40dc 2010-12-10T11:46:22+0100 [ods-signerd] add key locator f349cc85e0e1823f511f2467af4e75ff 2010-12-10T11:46:22+0100 [ods-signerd] signer configuration settings ok 2010-12-10T11:46:22+0100 [ods-signerd] zone example.com now has signconf 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file example.com.sc for writing 2010-12-10T11:46:22+0100 [ods-signerd] schedule task 2010-12-10T11:46:22+0100 [ods-signerd] wake up worker[1] 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: report for duty 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: lock tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: locked tasklist 2010-12-10T11:46:22+0100 [ods-signerd] pop task for zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] delete task from list 2010-12-10T11:46:22+0100 [ods-signerd] worker[1] perform task for zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlock tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlocked tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: lock zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: locked zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] read zone example.com from input file adapter /var/lib/opendnssec/unsigned/example.com 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file /var/lib/opendnssec/unsigned/example.com for reading 2010-12-10T11:46:22+0100 [ods-signerd] system call: /bin/cp /var/lib/opendnssec/unsigned/example.com example.com.inbound > /dev/null 2010-12-10T11:46:22+0100 [ods-signerd] done handling command update example.com[18] 2010-12-10T11:46:22+0100 [ods-enforcerd] Disconnecting from Database... 2010-12-10T11:46:22+0100 [ods-enforcerd] Sleeping for 600 seconds. 2010-12-10T11:46:22+0100 [ods-signerd] read zone example.com from file example.com.inbound 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file example.com.inbound for reading 2010-12-10T11:46:22+0100 [ods-signerd] zone example.com set SOA TTL to 3600 2010-12-10T11:46:22+0100 [ods-signerd] zone example.com set SOA MINIMUM to 3600 2010-12-10T11:46:22+0100 [ods-signerd] +DD example.com. 2010-12-10T11:46:22+0100 [ods-signerd] +rr example.com._3600_IN_SOA_a.ns.whyscream.net. admin.whyscream.net. 1 86400 1800 2419200 3600 2010-12-10T11:46:22+0100 [ods-signerd] +rr example.com._3600_IN_NS_a.ns.whyscream.net. 2010-12-10T11:46:22+0100 [ods-signerd] +rr example.com._3600_IN_NS_b.ns.whyscream.net. 2010-12-10T11:46:22+0100 [ods-signerd] +rr example.com._3600_IN_NS_ns-ext.tjeb.nl. 2010-12-10T11:46:22+0100 [ods-signerd] +rr example.com._3600_IN_A_178.18.84.173 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file example.com.state for writing 2010-12-10T11:46:22+0100 [ods-signerd] publish dnskeys to zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file example.com.dnskeys for writing 2010-12-10T11:46:22+0100 [ods-signerd] could not find key 42c301bb477f383991323c08c02d40dc 2010-12-10T11:46:22+0100 [ods-signerd] error creating DNSKEY for key 42c301bb477f383991323c08c02d40dc 2010-12-10T11:46:22+0100 [ods-signerd] error adding DNSKEYs to zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] task [add dnskeys to zone example.com] failed 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlock zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlocked zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: lock tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: locked tasklist 2010-12-10T11:46:22+0100 [ods-signerd] schedule task 2010-12-10T11:46:22+0100 [ods-signerd] On Fri Dec 10 13:46:22 2010 I will sign zone example.com 2010-12-10T11:46:22+0100 [ods-signerd] open file: dir (null) file example.com.task for writing 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlock tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlocked tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: report for duty 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: lock tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: locked tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1] no task ready 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlock tasklist 2010-12-10T11:46:22+0100 [ods-signerd] worker[1]: unlocked tasklist 2010-12-10T11:56:22+0100 [ods-enforcerd] Reading config "/etc/opendnssec/conf.xml" 2010-12-10T11:56:22+0100 [ods-enforcerd] Reading config schema "/usr/share/opendnssec/conf.rng" 2010-12-10T11:56:22+0100 [ods-enforcerd] Communication Interval: 600 2010-12-10T11:56:22+0100 [ods-enforcerd] Using command: /usr/share/opendnssec/dnskey-mailer.sh root to submit DS records 2010-12-10T11:56:22+0100 [ods-enforcerd] SQLite database set to: /var/lib/opendnssec/kasp.db 2010-12-10T11:56:22+0100 [ods-enforcerd] Log User set to: local0 2010-12-10T11:56:22+0100 [ods-enforcerd] Switched log facility to: local0 2010-12-10T11:56:22+0100 [ods-enforcerd] Connecting to Database... 2010-12-10T11:56:22+0100 [ods-enforcerd] Policy dlv found. 2010-12-10T11:56:22+0100 [ods-enforcerd] Key sharing is Off. 2010-12-10T11:56:22+0100 [ods-enforcerd] No zones on policy dlv, skipping... 2010-12-10T11:56:22+0100 [ods-enforcerd] Purging keys... 2010-12-10T11:56:22+0100 [ods-enforcerd] Policy sidn found. 2010-12-10T11:56:22+0100 [ods-enforcerd] Key sharing is Off. 2010-12-10T11:56:22+0100 [ods-enforcerd] Purging keys... 2010-12-10T11:56:22+0100 [ods-enforcerd] zonelist filename set to /etc/opendnssec/zonelist.xml. 2010-12-10T11:56:22+0100 [ods-enforcerd] Zone tandemracen.nl found. 2010-12-10T11:56:22+0100 [ods-enforcerd] Policy for tandemracen.nl set to sidn. 2010-12-10T11:56:22+0100 [ods-enforcerd] Config will be output to /var/lib/opendnssec/signconf/tandemracen.nl.xml. 2010-12-10T11:56:22+0100 [ods-enforcerd] No change to: /var/lib/opendnssec/signconf/tandemracen.nl.xml 2010-12-10T11:56:22+0100 [ods-enforcerd] Zone example.com found. 2010-12-10T11:56:22+0100 [ods-enforcerd] Policy for example.com set to sidn. 2010-12-10T11:56:22+0100 [ods-enforcerd] Config will be output to /var/lib/opendnssec/signconf/example.com.xml. 2010-12-10T11:56:22+0100 [ods-enforcerd] WARNING: key rollover not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next 2010-12-10T11:56:22+0100 [ods-enforcerd] No change to: /var/lib/opendnssec/signconf/example.com.xml 2010-12-10T11:56:22+0100 [ods-enforcerd] Disconnecting from Database... 2010-12-10T11:56:22+0100 [ods-enforcerd] Sleeping for 600 seconds.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
