[Opendnssec-user] SoftHSM errors
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Jan 20 13:22:04 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Casper,
It looks like the signer could not access the HSM. I see that listing
the keys as root works, but has the signer the right permissions to
access the keys stored in the softHSM?
Best regards,
Matthijs
On 01/20/2011 01:27 PM, Casper Gielen wrote:
> I just spotted a few errors in my logs. The same happens for other zones as well.
> Despite these errors the key seems be stored just fine.
> I use SoftHSM version 1.2.0 as packaged by Ondřej Surý.
> There is no real problem, things just work. I wonder if this is really an error
> or just a misleading message.
>
> Jan 20 13:04:45 metagross ods-signerd: No information yet for key 8c02fca833110020983c64f61ae843fc
> Jan 20 13:04:45 metagross ods-signerd: Generating DNSKEY RR for 8c02fca833110020983c64f61ae843fc
> Jan 20 13:04:45 metagross ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_class -f /var/lib/opendnssec/tmp/example.com.sorted'
> Jan 20 13:04:45 metagross ods-signerd: create_dnskey stderr: Error initializing libhsm
> Jan 20 13:04:45 metagross ods-signerd: create_dnskey status: 3
> Jan 20 13:04:45 metagross ods-signerd: equality: False
> Jan 20 13:04:45 metagross ods-signerd: Error: could not find key 8c02fca833110020983c64f61ae843fc
> Jan 20 13:04:45 metagross ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_class -f /var/lib/opendnssec/tmp/example.com.sorted'
> Jan 20 13:04:45 metagross ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/zone_reader -c /etc/opendnssec/conf.xml -f /var/lib/opendnssec/tmp/example.com.sorted -k 1 -o example.com -s /var/lib/opendnssec/signconf/example.com.xml -w /var/lib/opendnssec/tmp/example.com.nsecced -x /var/lib/opendnssec/tmp/example.com.optout'
> Jan 20 13:04:45 metagross ods-signerd: Writing file to zone_reader: /var/lib/opendnssec/tmp/example.com.sorted
> Jan 20 13:04:45 metagross ods-signerd: Nseccing failed
> Jan 20 13:04:45 metagross ods-signerd: create_dnskey stderr: Error initializing libhsm
> Jan 20 13:04:45 metagross ods-signerd: create_dnskey status: 3
> Jan 20 13:04:45 metagross ods-signerd: equality: False
>
> root at metagross:~# ods-ksmutil key list --zone example.com -v
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Keys:
> Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:
> example.com KSK active 2011-11-29 14:35:20 927ec803b8cecd1660ac461ce52710f7 SoftHSM 36969
> example.com KSK dsready When required 39aee23e7d7353cf3b611daf58d0ce41 SoftHSM 10813
> example.com KSK dsready When required d50ea2e36b1cc9f59dd20a3b970f4f17 SoftHSM 12793
> example.com ZSK active 2011-01-25 13:54:33 a23bcd8ab51453011b030f336804149b SoftHSM 40155
> example.com ZSK ready next rollover 8221da5577cb758178d03e76ba62e679 SoftHSM 28775
> example.com ZSK ready next rollover c79ba9dcd023e48cd7291bbd0d9ea776 SoftHSM 26460
> example.com ZSK ready next rollover 55e036a808ce250677759122524c5c70 SoftHSM 5940
> example.com ZSK ready next rollover 8c02fca833110020983c64f61ae843fc SoftHSM 46688
>
> root at metagross:~# ods-ksmutil key export --zone example.com--keytype ZSK --keystate READY |grep 46688
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> example.com. 3600 IN DNSKEY 256 3 7 AwEAAcZYtP3U/NAzDV5D4aeR5QFAU93/nx50ajj6FxG6Z9fXI7visFIt6Eo+p85HmQHozE65jkBzPuP6QV7l2r4A0Np5rDs5diKsRrSHgxTGsRVaKdOzWfzHsYW1hnvktNoHV+ZM9G/He0+0zwEPfaatqi1hLQ30CujfcDkTRyCeOeWv ;{id = 46688 (zsk), size = 1024b}
>
> root at metagross:~# softhsm --version
> 1.2.0
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNODb7AAoJEA8yVCPsQCW5SCkIAI9DA2MQvnC4LT5vQiuwoWUx
8/d9rqdVTh87gdf6Tktb0mHf1nlmTFiZ5o2Q32Ch2uDo6H9nPBYGvNRUcmvtF2Vu
aLTM+ZTIFCuh1ZtXXneQRe3YgI5AvPRyL++QC3ai6u513PS567tzrHVQKck26hwU
Pf91E9THL7rwhw5CGxqUn84Msx/oh2m8ZRnAJIaHW4lUA4j8iNolLrZnJmvOwVRI
q+SBbDJ4kD5aXAsSBnDZqDcy50hdcLmiF7KlC0A0XbpZWgJOe5YHv30fetKV92tK
nria6EWVD1HDtVlCKSxET9zp86jvFB1R/BrdwxMfJc4CQa3TYMZdiQrC2Qg5Ts4=
=Aa8o
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list