Trouble with inline-signing mode

Fri Jun 3 04:04:46 UTC 2016

Hello,
We’re testing DNSSEC system with bind-9.10.3-P4, openssl-1.0.1t and Utimaco HSM.
My system can operate normally in manual signing mode. But when I change to inline signing mode, the system cannot resign domain zones after dnssec-loadkeys-interval (60 minutes by default).
I configure zone options in named.conf to inline-signing mode:
zone "dnssec.test" in {
            type master;
            file "db.dnssec.test";
key-directory "/data/dnssec/keys/dnssec.test/";
auto-dnssec maintain;
inline-signing yes;
};

Change openssl.cnf to support automatically resign domain zones:
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = xxxxx

And then I restart named and the system can resign automatically when new records inserted via nsupdate command. But after dnssec-loadkeys-interval (60 minutes by default), bind cannot load private key from HSM to resign zone.

This is log of bind:
02-Jun-2016 11:47:28.557 general: info: zone dnssec.test/IN (signed): loaded serial 2016051809
02-Jun-2016 11:47:28.558 general: error: zone dnssec.test/IN (signed): receive_secure_serial: unchanged
02-Jun-2016 11:47:28.558 general: info: zone dnssec.test/IN (signed): reconfiguring zone keys
02-Jun-2016 11:55:14.046 general: info: received control channel command 'signing -list dnssec.test'
02-Jun-2016 12:00:49.378 general: info: received control channel command 'loadkeys dnssec.test'
02-Jun-2016 12:00:49.378 general: info: zone dnssec.test/IN (signed): reconfiguring zone keys
02-Jun-2016 12:00:49.383 general: info: zone dnssec.test/IN (signed): next key event: 02-Jun-2016 13:00:49.378
02-Jun-2016 13:00:49.378 general: info: zone dnssec.test/IN (signed): reconfiguring zone keys
02-Jun-2016 13:00:49.379 general: warning: ENGINE_load_private_key failed (not found)
02-Jun-2016 13:00:49.380 general: info: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
02-Jun-2016 13:00:49.380 general: warning: dns_dnssec_keylistfromrdataset: error reading private key file dnssec.test/RSASHA256/4494: not found

So what's wrong here? Thanks in advance for any help.
Kien Nguyen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160603/5d60d367/attachment.html>