[Opendnssec-user] ods-signerd unresponsive/crashes

Michael Braunoeder mib at nic.at
Wed Dec 21 09:28:55 UTC 2011


Am 20.12.2011 11:52, schrieb Michael Braunoeder:
> Hi,
>
> I'm running OpenDNSSEC 1.3.3 on a 64-bit-Debian 6.0 (packages backported
> manually from unstable). The zone to be signed is transfered via
> zonefetcher, signed and loaded on a local nameserver, the keys are
> stored in a HSM (Thales ncipher).
>
> After running a lot of test without any problems (including an endless
> loop signing (start a new sign-run after completing the last one) we
> moved to semi-production where I noticed 2 problems:
>
> - One of the 2 running ods-signerd processes sometimes crashes with this
> error messages:
>
>   >  kernel: [444495.143165] ods-signerd[1939] trap stack segment
> ip:41a1c6 sp:7fa3a855be00 error:0

I tried to reproduce the problem with verbosity 255 but I didn't get any 
useful error message:

> Dec 21 10:01:25 nssig2 ods-signerd: [fifo] popped item, count=986
> Dec 21 10:01:25 nssig2 ods-signerd: [rrset] signature validity 1142571 in range [1126800 - 1299600]
> Dec 21 10:01:25 nssig2 ods-signerd: skipping key 34517225089a4287e949bf7dd0fae5f5 for signing: RRset[1] already bsignature with same algorithm
> Dec 21 10:01:25 nssig2 ods-signerd: [rrset] skipping key 852d8652f265d1aabb7839338dbb2a13 for signing RRset[16]: no active ZSK
> Dec 21 10:01:25 nssig2 ods-signerd: [rrset] signature validity 1209547 in range [1126800 - 1299600]
> Dec 21 10:01:25 nssig2 ods-signerd: [rrset] recycle signature for RRset[50] (refresh=1324717220, signtime=1324458020, inception=1324386138, expiration=1325628394)
> Dec 21 10:01:25 nssig2 ods-signerd: [fifo] popped item, count=987
> Dec 21 10:01:25 nssig2 ods-signerd: skipping key 34517225089a4287e949bf7dd0fae5f5 for signing: RRset[1] already has signature with same algorithm
> Dec 21 10:01:25 nssig2 ods-signerd: [fifo] popped item, count=986
> Dec 21 10:01:25 nssig2 kernel: [1973275.222995] ods-signerd[9436] trap stack segment ip:41a1c6 sp:7f63027fbe00 error:0

Looks ok for me (except the last line ;-) Could this be an OpenDNSSEC or 
an HSM problem?

After an restart, the backup files are corrupt but a full signature run 
completes without any problems.

Best,
Michael



More information about the Opendnssec-user mailing list