[Opendnssec-user] Re: softhsmv2 bugs

Matthijs Mekking matthijs at nlnetlabs.nl
Fri Aug 29 16:10:59 UTC 2014 

On 08/29/2014 04:11 PM, Paul Wouters wrote:
> On Mon, 18 Aug 2014, Paul Wouters wrote:
> 
>> On Fri, 15 Aug 2014, Roland van Rijswijk - Deij wrote:
>>
>>> I'd like to create an issue for this in our issue tracking system,
>>> however, I have some questions:
>>>
>>> - Did OpenDNSSEC work correctly after you upgrade from SoftHSM v1 to v2
>>> right up until the point that you tried to create an additional slot?
>>
>> yes, although getting the right permissions between softhsm/ods/nsd and
>> rpm upgrades is very tricky (and a work in progress)
>>
>>> - Could you retry upgrading in this case and testing if OpenDNSSEC works
>>> correctly with the new SoftHSM v2 token and if it does let us know?
>>
>> Yes that seems to work,
> 
> I take this back :(
> 
> Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV
> in encrypted data
> Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR
> Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm
> Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[28]:
> lhsm_sign() failed
> Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV
> in encrypted data
> Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR
> Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm
> Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[6]:
> lhsm_sign() failed
> 
> It hasn't signed for a number of days, and I noticed by the first
> records that had expired RRSIGs :(
> 
> Looking back through the logs, it broke instantly, but I misread the
> messages in the log:
> 
> Aug 18 14:32:05 ns0 ods-signerd: [signconf] zone libreswan.ca signconf:
> RESIGN[PT7200S] REFRESH[PT604800S] VALIDITY[PT1209600S]
> DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50]
> DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter]
> 
> Those didn't actually mean "signed" but "going to sign".

To be precise, that line just informs you of the new signer configuration.

Best regards,
  Matthijs


> 
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list