Re: [Opendnssec-user] Problem signing a zone

Wed, 22 Jun 2011 00:56:55 -0700 



Jun 21 06:23:51 ramanujan ods-enforcerd: Zone 
4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa found.
Jun 21 06:23:51 ramanujan ods-enforcerd: Policy for 
4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa set to default.
Jun 21 06:23:51 ramanujan ods-enforcerd: Config will be output to 
/var/lib/opendnssec/signconf/4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa.xml.
Jun 21 06:23:51 ramanujan ods-enforcerd: INFO: Promoting ZSK from publish to 
active as this is the first pass for the zone
Jun 21 06:23:51 ramanujan ods-enforcerd: ERROR: Trying to make non-backed up 
ZSK active when RequireBackup flag is set
Jun 21 06:23:51 ramanujan ods-enforcerd: KsmRequestKeys returned: 65562
Jun 21 06:23:51 ramanujan ods-enforcerd: Signconf not written for 
4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa
Jun 21 06:50:34 ramanujan ods-auditor[20676]: Can't load 
4.1.0.0.0.0.1.6.0.1.0.0.2.ip6.arpa SignerConfiguration file 
(/var/lib/opendnssec/signconf/4.1.0.0.0.0.1.6.0.1.0.



This is certainly a backup issue. You have a choice of requiring keys to 
be backed-up or not; and you are running such that non-backed up keys 
will not be used (this is the safer mode to be in). Because the backups 
are not under ODSs control the timings can not be factored in to key 
generation, so issues like this may happen between key generation and 
backup... I'll see if this led to the "not enough keys" error that you 
originally posted; and if so I'll fix that confusing message.



I use SoftHSM which, as far as I know, has nor real limit, right now
there are about 2500 keys in there. Nothing was logged besides statements
from ODS that a new key was generated.





There is no physical limit other than the maximum file size of your FS, 
or maybe what sqlite can cope with. However you can set a soft limit in 
the repository section of conf.xml, this doesn't appear to be a factor 
in this case though.



Re: restarting the enforcer, currently adding a zone does not take 
immediate effect. You can HUP the enforcer by running "ods-control 
enforcer notify", or wait until it runs again according to its schedule.


Sion
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user






















					Reply via email to