[Opendnssec-user] possible error in error message of ods-signerd

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Jul 17 14:09:51 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/16/2012 05:08 PM, Paul Wouters wrote:
> 
> In a lab system we had some issues with the HSM (still pending 
> investigation). We saw the following in the logs:
> 
> Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign final:
> CKR_DEVICE_ERROR Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign
> final: CKR_DEVICE_ERROR Jul 12 11:54:53 signer-01 ods-signerd:
> [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:53 signer-01
> ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:53
> signer-01 ods-signerd: [worker[3]] sign zone ca failed: 81 of
> 1910549 signatures failed
> 
> The zone involved is a large test zone with opt-in. It should only 
> require a handful of RRSIGs, not 1910549. I think the reporting of 
> this latter number is based on an assumption of no-opt-in.

If opt in, you should have a RRSIG for every delegation right?

> 
> It's somewhat misleading, as I think all RRSIG generation failed,
> and the message 81 out of 1910549 failed wrongly suggests some
> RRSIGs were correctly generated.

I guess 81 signatures could be reused and no HSM interaction was
required.

Best regards,
  Matthijs

> 
> Paul _______________________________________________ 
> Opendnssec-user mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQBXIvAAoJEA8yVCPsQCW5IzAH/3G2KyxpL5lFYWv6UropNweg
tZDKZxDtPbbUcGX7jjm57PkEY3iTeJgCJR7h6SYSmRhCvtVgqK0GPQDAD5pCg4AG
U2ZKcXvWaSagsf2g4NtocZIngsBRI+QXFGR+8GDot1aAtsYZJ+h1tYeGt1VEMtVu
sLganbrvepkXO4BK6SmxAekWR8uHbvi1q9EXFzHeqdhnVQP7QWIwEcIbOqN7VnZK
YjfABz6JesTPwhl0u+7BprNhARhMYZbrpPpja6fbELPTCrV0ZuEOHTKEZW6hGUjg
TXyfZhKdQjVgtNZsLOK93usKwVj693GCtfbR2RqEfKtUju5hUMZpNJ19ua+pZKk=
=aSaK
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list