<div dir="ltr"><div dir="ltr"><div dir="ltr"><p style="font-size:1em;margin:0px;font-family:"Verizon NHG DS",Arial,sans-serif;line-height:13px;color:black">ODS 2.1.9 SoftHSM 2.6.1, MySQL backend.</p><p style="font-size:1em;margin:0px;font-family:"Verizon NHG DS",Arial,sans-serif;line-height:13px;color:black"><br></p><p style="font-size:1em;margin:0px;font-family:"Verizon NHG DS",Arial,sans-serif;line-height:13px;color:black"><br></p><p style="font-size:1em;margin:0px;font-family:"Verizon NHG DS",Arial,sans-serif;line-height:13px;color:black">Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] removeDeadKeys deleting key: 1b3a7b2082eb554cea378955dbe4af6a<br>Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [hsm_key_factory_delete_key] looking for keys to purge from HSM<br>Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [hsm_key_factory_get_key] removing key 1b3a7b2082eb554cea378955dbe4af6a from HSM<br>Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] removeDeadKeys: keys deleted from HSM: 1<br>Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] update: key_data_update() failed<br></p><p style="font-size:1em;margin:0px;font-family:"Verizon NHG DS",Arial,sans-serif;line-height:13px;color:black"><br></p><p style="font-size:1em;margin:0px;font-family:"Verizon NHG DS",Arial,sans-serif;line-height:13px;color:black">Seeing this regularly - for different keys. But only once per key.</p><div><br></div></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 26, 2021 at 5:23 PM Berry van Halderen via Opendnssec-user <<a href="mailto:opendnssec-user@lists.opendnssec.org" target="_blank">opendnssec-user@lists.opendnssec.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On 2021-05-26 17:15, Roman Serbski via Opendnssec-user wrote:<br>
> On Fri, May 7, 2021 at 5:14 PM Randy Bush via Opendnssec-user<br>
> <<a href="mailto:opendnssec-user@lists.opendnssec.org" target="_blank">opendnssec-user@lists.opendnssec.org</a>> wrote:<br>
>> <br>
>> > OpenDNSSEC 2.1.9 is out, which solves this issue I think.<br>
>> <br>
>> the kindness of dr akkerhuis allowed me to install on a binary-only<br>
>> freebsd.<br>
>> <br>
>> i am not positive that 2.1.9 fixed the problem; but it definintely<br>
>> suppressed the error messages :)<br>
> <br>
> Hello,<br>
> <br>
> I'm not 100% sure it's the same issue, but I start getting the similar<br>
> errors with OpenDNSSEC 2.1.9 under FreeBSD 12.2-RELEASE-p2 r369009.<br>
> <br>
> Some days ago, I removed one zone using the command:<br>
> <br>
> ods-enforcer zone delete --zone <a href="http://domain.org" rel="noreferrer" target="_blank">domain.org</a><br>
> <br>
> And yesterday I started receiving:<br>
<br>
Related, but not the same issue, and not really in OpenDNSSEC but with <br>
SoftHSM.<br>
The start/stop should have fixed it, but a ods-signer update --all <br>
should<br>
also have done the trick. I'm afraid this will turn out to be a <br>
concurrency<br>
issue that will be hard to pick up in SoftHSM.<br>
If anyone else sees this message I would like to know because I think it <br>
will be<br>
very rare.<br>
<br>
\Berry<br>
<br>
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: File.cpp(94): Could not<br>
> open the file (No such file or directory):<br>
> /var/lib/softhsm/tokens//3eab29c6-3b3f-fcf9-4aed-ff695aef81b0/63f07aa8-56e9-3639-4ebd-41692cb2a208.object<br>
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] sign init:<br>
> CKR_OBJECT_HANDLE_INVALID<br>
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] error signing<br>
> rrset with libhsm<br>
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [rrset] unable to sign<br>
> RRset[6]: lhsm_sign() failed<br>
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] sign zone<br>
> <a href="http://domain.org" rel="noreferrer" target="_blank">domain.org</a> failed: 1 RRsets failed<br>
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] CRITICAL:<br>
> failed to sign zone <a href="http://domain.org" rel="noreferrer" target="_blank">domain.org</a>: General error<br>
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: back-off task [sign] for<br>
> zone <a href="http://domain.org" rel="noreferrer" target="_blank">domain.org</a> with 60 seconds<br>
> <br>
> I also noticed errors while purging expired ZSKs for other domains, for <br>
> example:<br>
> <br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update<br>
> zone: <a href="http://domain2.org" rel="noreferrer" target="_blank">domain2.org</a><br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]<br>
> removeDeadKeys deleting key: 37abe5998879aceefea122b69ca98751<br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:<br>
> [hsm_key_factory_delete_key] looking for keys to purge from HSM<br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:<br>
> [hsm_key_factory_get_key] removing key<br>
> 37abe5998879aceefea122b69ca98751 from HSM<br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:<br>
> [hsm_key_factory_get_key] removing key<br>
> be586f8af9ec83163ffe73c66a21f319 from HSM<br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:<br>
> [hsm_key_factory_get_key] removing key<br>
> 78586dbbaab0ebf9ddd01b0fb4cbd83f from HSM<br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]<br>
> removeDeadKeys: keys deleted from HSM: 3<br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update:<br>
> key_data_update() failed<br>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforce_task] No<br>
> changes to signconf file required for zone <a href="http://domain2.org" rel="noreferrer" target="_blank">domain2.org</a><br>
> <br>
> /usr/local/etc/rc.d/opendnssec stop/start seems to suppress the error.<br>
> <br>
> Thanks.<br>
> _______________________________________________<br>
> Opendnssec-user mailing list<br>
> <a href="mailto:Opendnssec-user@lists.opendnssec.org" target="_blank">Opendnssec-user@lists.opendnssec.org</a><br>
> <a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
_______________________________________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org" target="_blank">Opendnssec-user@lists.opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
</blockquote></div></div>