[Opendnssec-develop] Enforcer died during production KSK rollover .nl
Antoin Verschuren
antoin.verschuren at sidn.nl
Thu Oct 21 16:10:11 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
I promissed I'd let you in on our details for the .nl key-rollover.
As said, the enforcer died during key rollover on our production systems
last week. We practiced a manual key-rollover for .nl before we send our
DS to the root next week or so.
The error for the enforcer was: CKR_TOKEN_NOT_PRESENT
But it shouldn't die on this right ?
After we started everything up again, the rollover continued normally,
and the error did not occur again:
[root at signera ~]# ods-ksmutil key list -v
SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID: Repository:
Keytag:
nl KSK active 2016-08-09
15:49:10 f4593529defe81bdf50c91c9e4760ef4 HSM-HA
38420
nl ZSK active 2010-11-08
14:23:35 c8a075a8919a099d1f9b75e62433f95e HSM-HA
37408
[root at signera ~]# ods-ksmutil key rollover --zone nl --keytype KSK
SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
INFO: 0 ksks available in 'generate' state (need 1) - unable to promote
until more keys generated
WARNING: key rollover not completed as there are no keys in the 'ready'
state; ods-enforcerd will try again when it runs next
[_root at signera:~^[\[root at signera ~]# ods-ksmutil key list -v
SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID: Repository:
Keytag:
nl KSK active 2010-10-13
14:05:39 f4593529defe81bdf50c91c9e4760ef4 HSM-HA
38420
nl ZSK active 2010-11-08
14:23:35 c8a075a8919a099d1f9b75e62433f95e HSM-HA
37408
Oct 13 14:05:39 signera ods-enforcerd: Error creating key in repository
HSM-HA
Oct 13 14:05:39 signera ods-enforcerd: Find objects init:
CKR_TOKEN_NOT_PRESENT
[root at signera log]# ods-control start
Starting signer engine...
connecting to /usr/local/opendnssec-1.1.0/var/run/opendnssec/engine.sock
OpenDNSSEC signer engine version 1.1.0
Zone list updated: 0 removed, 1 added, 0 updated
running as pid 16810
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.1.0), pid 16812
Oct 13 14:43:46 signera ods-enforcerd: Created key in repository HSM-HA
Oct 13 14:43:46 signera ods-enforcerd: Created KSK size: 2048, alg: 8
with id: 682bb4a60ff3c2bb74e88d378861c34b in repository: HSM-HA and database
[_root at signera:~^[\[root at signera ~]# ods-ksmutil key list -v
SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID: Repository:
Keytag:
nl KSK active 2010-10-13
14:34:26 f4593529defe81bdf50c91c9e4760ef4 HSM-HA
38420
nl ZSK active 2010-11-08
14:23:35 c8a075a8919a099d1f9b75e62433f95e HSM-HA
37408
nl KSK publish 2010-10-13
20:43:46 682bb4a60ff3c2bb74e88d378861c34b HSM-HA
21362
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJMwGXUAAoJEDqHrM883AgnzQgIANe+Ddis/xXpFoqw3I4BHRQE
8CHygGgOG1I+d1lKQoWWYJN2iO+PcHdloPtFRWlnLO8p0wZJhnwEqAgSB5KNSVit
E3LbqLbfUqFYTknsxfhjtyXxB0P0yDmPDUhBwwIXSvfAtoNpb8UoYOrYh8ZxA1m8
65UnZYRTx3qg8y+F3nMnU6cijEQ6MfE0Rn5cveHI+CgK7jNu7luSllNqFRgEKolB
4Kl3l2GDbiQVse4Qqq5BG+/BhSzEbuLg9MHkB0NuMK+zhIkHpXFNBHyon2ovvQ2t
k66IvDoyuRnNvzy4bW4SJ496n+GS8+NO0dWprRTPNhh1NoibZnlcmaaknLzGFS4=
=hH3o
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list