[Opendnssec-user] Re: softhsmv2 bugs
Paul Wouters
paul at nohats.ca
Fri Aug 29 14:11:56 UTC 2014
On Mon, 18 Aug 2014, Paul Wouters wrote:
> On Fri, 15 Aug 2014, Roland van Rijswijk - Deij wrote:
>
>> I'd like to create an issue for this in our issue tracking system,
>> however, I have some questions:
>>
>> - Did OpenDNSSEC work correctly after you upgrade from SoftHSM v1 to v2
>> right up until the point that you tried to create an additional slot?
>
> yes, although getting the right permissions between softhsm/ods/nsd and
> rpm upgrades is very tricky (and a work in progress)
>
>> - Could you retry upgrading in this case and testing if OpenDNSSEC works
>> correctly with the new SoftHSM v2 token and if it does let us know?
>
> Yes that seems to work,
I take this back :(
Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV in encrypted data
Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR
Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm
Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[28]: lhsm_sign() failed
Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV in encrypted data
Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR
Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm
Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[6]: lhsm_sign() failed
It hasn't signed for a number of days, and I noticed by the first
records that had expired RRSIGs :(
Looking back through the logs, it broke instantly, but I misread the
messages in the log:
Aug 18 14:32:05 ns0 ods-signerd: [signconf] zone libreswan.ca signconf:
RESIGN[PT7200S] REFRESH[PT604800S] VALIDITY[PT1209600S]
DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50]
DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter]
Those didn't actually mean "signed" but "going to sign".
Paul
More information about the Opendnssec-user
mailing list