[Opendnssec-develop] Enforcer died during production KSK rollover .nl

Roland van Rijswijk Roland.vanRijswijk at surfnet.nl
Fri Oct 22 09:55:34 UTC 2010


On 22 okt 2010, at 09:55, Antoin Verschuren wrote:

> On 21-10-10 19:15, Jakob Schlyter wrote:
>> On 21 okt 2010, at 18.10, Antoin Verschuren wrote:
>>> The error for the enforcer was: CKR_TOKEN_NOT_PRESENT
>> Was the HSM on-line and enabled when the error occurred?
> Yes. I know from googling that this is a pkcs11 error that libhsm
> probably just relays. The strange thing however is that the only thing
> we did was restarting the ODS, but changed nothing to the hsm, to tokens
> or to the config, and it just resumed. I can imagine a temporary
> connection issue, but should it then die ?

Perhaps safe behaviour would be for the enforcer to not terminate but rather report the error and sleep for another cycle. The problem - in our case - seemed to be ephemeral and went away when we restarted the enforcer. I think we (Antoin & I) probably need to talk to the HSM vendor about the cases in which this error can occur.



-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list