[Opendnssec-user] Semi-Urgent: Production SoftHSM with Wrong schema version

Peter Olsson pol at leissner.se
Sat Jun 4 22:25:18 UTC 2011


Some details first:
I have less than a week to solve this problem, current
signatures expire at 20110611.
FreeBSD 8.1-RELEASE-p4
OpenDNSSEC 1.2.1 (installed from FreeBSD ports)
SoftHSM 1.2.1 (installed from FreeBSD ports)

Two weeks ago we started using OpenDNSSEC for the main three 
production domains of a customer. No problems at all until
today, when I upgraded sqlite3 from to

The release notes for the sqlite3 upgrade seemed to indicate
that it was safe, but after the upgrade and a reboot
/usr/local/var (which I have softlinked to
/var/named/usr/local/var because named is chrooted)
had disappeared completely.
I may have caused this myself since I was stupid enough not
to stop ods-signer and ods-enforcerd during the sqlite3 upgrade.

I restored from yesterdays backup, but now I get these errors:
ods-enforcerd: SoftHSM: init: Wrong database schema version: /usr/local/var/softhsm/slot0.db
ods-enforcerd: hsm_get_slot_id(): could not find token with the name OpenDNSSEC
ods-signerd: SoftHSM: init: Wrong database schema version: /usr/local/var/softhsm/slot0.db
ods-signerd: setup failed: error initializing libhsm (errno 268435457)
ods-signerd: signer engine setup failed
ods-signerd: shutdown signer engine

I tried reverting to version of sqlite3, but I get the
same errors whatever I do now. I have compared the dump of the
current slot0.db with dumps from backuped slot0.db, and they
have no diffs.

If I understand lib/SoftDatabase.cpp in SoftHSM source correctly
the cause of the error is that there should be a
PRAGMA user_version=100;
or something like that in the SoftHSM db. But the only PRAGMA
I have in there, even in the old backups, is
PRAGMA foreign_keys=OFF;

My first idea is to enter a PRAGMA user_version into slot0.db,
but since I don't know if that will solve the problem and also
I'm no good at SQL, I'm not trying that right now. If anyone can
confirm that this is the solution and give me the steps to fix it
I would be very grateful.

Otherwise I guess I'll have to reset the SoftHSM database,
but I don't know how to export current keys from slot0.db
when I can't start the SoftHSM application.

Starting from scratch with fresh keys is the least preferred

Any ideas are welcome!


Peter Olsson                    pol at leissner.se

More information about the Opendnssec-user mailing list