Update: we have found the problem.
The problem was, that the enforcer was running as user 'opendnssec' but
the signer ran as user 'root'. Therefore, the enforcer could not notify
the signer about the signconf update.
The relevant log message was "Could not call signer engine".
Obviously the signer re-reads the signconf not only on "update", but
also on restart. This makes sense, as the singer could have missed an
"update" while it was not running.
Thanks for the troubleshooting hints
Klaus
On 15.11.2013 13:42, Klaus Darilion wrote:
On 14.11.2013 15:13, Matthijs Mekking wrote:
On 11/14/2013 02:26 PM, Klaus Darilion wrote:
Meanwhile I restarted the ods-signer daemon and after the next zone
file
update, ods signed with the correct key. So for now it is fixed,
but do
you have any ideas why the signer still used the old KSK after the KSK
rollover?
Can you perhaps provide logs (off list if you wish)?
We have syslog logging, but this is rather quiet. Is there anything
special for which I should look?
I Just wanted to make sure no warnings or errors were logged.
I just checked the logs. The enforcer logged the rollovers (eg. waiting
for ds-seen, ...), but no errors or warnings. Also the signer did no
logged any warnings/errors. We triggered both - a manual ZSK rollover,
followed by a manual KSK rollover and both showed the same problem. The
enforcer switched to the new key, but the signer still used the old key.
I also checked the signed zone files (we backup them after every signing
run): The new KSK and the new ZSK newer showed up in the zone file, only
when I restarted the signer daemon, it switched from the old to the new
keys.
regards
Klaus
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
