[Opendnssec-user] possible error in error message of ods-signerd

Paul Wouters paul at nohats.ca
Mon Jul 16 15:08:40 UTC 2012


In a lab system we had some issues with the HSM (still pending
investigation). We saw the following in the logs:

Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR
Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR
Jul 12 11:54:53 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR
Jul 12 11:54:53 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR
Jul 12 11:54:53 signer-01 ods-signerd: [worker[3]] sign zone ca failed: 81 of 1910549 signatures failed

The zone involved is a large test zone with opt-in. It should only
require a handful of RRSIGs, not 1910549. I think the reporting of
this latter number is based on an assumption of no-opt-in.

It's somewhat misleading, as I think all RRSIG generation failed, and
the message 81 out of 1910549 failed wrongly suggests some RRSIGs were
correctly generated.

Paul



More information about the Opendnssec-user mailing list