I've been using DNSSEC to sign my internal DNS zones with FreeIPA for quite some time now and have never had any problems. But suddenly, I noticed ipa-dnskeysyncd.service was continuously failing to start, throwing this traceback: dnssec-keyfromlabel: fatal: failed to get key RSASHA256: not found ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Looking deeper into the logs, I could see that LDAP was happily reporting it was adding key metadata to my zones, but the local token was instantly rejecting it: The public key was not found at: pkcs11:object=... The root cause turned out to be a cryptographic "split-brain" situation. The metadata stored in the LDAP directory was correct, but the actual cryptographic private/public key material stored by the local SoftHSM token was missing. You can verify if your saved keys are actually in the token by pointing pkcs11-tool at the FreeIPA SoftHSM database: [root@ipa03 ~]# export SOFTHSM2_CONF=/e...