[Opendnssec-develop] Enforcer died during production KSK rollover .nl

Antoin Verschuren antoin.verschuren at sidn.nl
Thu Oct 21 18:10:11 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys,

I promissed I'd let you in on our details for the .nl key-rollover.
As said, the enforcer died during key rollover on our production systems
last week. We practiced a manual key-rollover for .nl before we send our
DS to the root next week or so.

The error for the enforcer was: CKR_TOKEN_NOT_PRESENT
But it shouldn't die on this right ?
After we started everything up again, the rollover continued normally,
and the error did not occur again:

[root at signera ~]# ods-ksmutil key list -v
SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
nl                              KSK           active    2016-08-09
15:49:10       f4593529defe81bdf50c91c9e4760ef4  HSM-HA
           38420
nl                              ZSK           active    2010-11-08
14:23:35       c8a075a8919a099d1f9b75e62433f95e  HSM-HA
           37408

[root at signera ~]# ods-ksmutil key rollover --zone nl --keytype KSK

SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
INFO: 0 ksks available in 'generate' state (need 1) - unable to promote
until more keys generated
WARNING: key rollover not completed as there are no keys in the 'ready'
state; ods-enforcerd will try again when it runs next

[_root at signera:~^[\[root at signera ~]# ods-ksmutil key list -v
SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
nl                              KSK           active    2010-10-13
14:05:39       f4593529defe81bdf50c91c9e4760ef4  HSM-HA
           38420
nl                              ZSK           active    2010-11-08
14:23:35       c8a075a8919a099d1f9b75e62433f95e  HSM-HA
           37408

Oct 13 14:05:39 signera ods-enforcerd: Error creating key in repository
HSM-HA
Oct 13 14:05:39 signera ods-enforcerd: Find objects init:
CKR_TOKEN_NOT_PRESENT

[root at signera log]# ods-control start
Starting signer engine...
connecting to /usr/local/opendnssec-1.1.0/var/run/opendnssec/engine.sock
OpenDNSSEC signer engine version 1.1.0
Zone list updated: 0 removed, 1 added, 0 updated
running as pid 16810
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.1.0), pid 16812

Oct 13 14:43:46 signera ods-enforcerd: Created key in repository HSM-HA
Oct 13 14:43:46 signera ods-enforcerd: Created KSK size: 2048, alg: 8
with id: 682bb4a60ff3c2bb74e88d378861c34b in repository: HSM-HA and database

[_root at signera:~^[\[root at signera ~]# ods-ksmutil key list -v
SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
nl                              KSK           active    2010-10-13
14:34:26       f4593529defe81bdf50c91c9e4760ef4  HSM-HA
           38420
nl                              ZSK           active    2010-11-08
14:23:35       c8a075a8919a099d1f9b75e62433f95e  HSM-HA
           37408
nl                              KSK           publish   2010-10-13
20:43:46       682bb4a60ff3c2bb74e88d378861c34b  HSM-HA
           21362
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJMwGXUAAoJEDqHrM883AgnzQgIANe+Ddis/xXpFoqw3I4BHRQE
8CHygGgOG1I+d1lKQoWWYJN2iO+PcHdloPtFRWlnLO8p0wZJhnwEqAgSB5KNSVit
E3LbqLbfUqFYTknsxfhjtyXxB0P0yDmPDUhBwwIXSvfAtoNpb8UoYOrYh8ZxA1m8
65UnZYRTx3qg8y+F3nMnU6cijEQ6MfE0Rn5cveHI+CgK7jNu7luSllNqFRgEKolB
4Kl3l2GDbiQVse4Qqq5BG+/BhSzEbuLg9MHkB0NuMK+zhIkHpXFNBHyon2ovvQ2t
k66IvDoyuRnNvzy4bW4SJ496n+GS8+NO0dWprRTPNhh1NoibZnlcmaaknLzGFS4=
=hH3o
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list