[Opendnssec-user] ods-enforcerd segfault when there are no spare keys - using Thales HSM

David Peall david at dnservices.co.za
Wed May 28 14:33:53 CEST 2014


Hi 

I’m new to the list, just started working on our OpenDNSSEC project with Mark Elkins.  

It seems to work if I generate the keys by hand.

For example this is the error when there are no keys:
  ods-enforcerd: 2 zone(s) found on policy "zacr-nsec3"
  ods-enforcerd: 2 new KSK(s) (2048 bits) need to be created for policy zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0).
  ods-signerd: [hsm] libhsm connection opened succesfully
  ods-signerd: [engine] signer started (version 1.4.5), pid 15672 
  ods-signerd: [worker[1]] CRITICAL: failed to sign zone za: General error
  ods-signerd: [worker[1]] backoff task [configure] for zone za with 60 seconds
  ods-signerd: [worker[2]] CRITICAL: failed to sign zone web.za: General error
  ods-signerd: [worker[2]] backoff task [configure] for zone web.za with 60 seconds
  kernel: [687265.213229] ods-enforcerd[15667]: segfault at 0 ip 00007fcbed8feb14 sp 00007fff9687e0f0 error 4 in libcknfast.so[7fcbed855000+1ee000]


I tried test the HSM and it appears to be working fine:
  /usr/bin/ods-hsmspeed -r thales
  Opening HSM Library...
  Generating temporary key...
  Temporary key created: 7edab7c41138f9ee88c3fc3bf6ec38d1
  Signing 1 RRsets with RSA/SHA1 using 1 thread...
  Signer thread #0 started...
  Signer thread #0 done.
  Signing done.
  1 thread, 1 signatures per thread, 165.89 sig/s (RSA 1024 bits)
  Deleting temporary key…

I got the idea to create the keys by hand:
  ods-ksmutil key generate --policy zacr-nsec3 --interval 3D
  Key sharing is Off
  HSM opened successfully.
  Info: 2 zone(s) found on policy "zacr-nsec3”
  2 new KSK(s) (2048 bits) need to be created for policy zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0).
  2 new ZSK(s) (1024 bits) need to be created for policy zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0).
  *WARNING* This will create 2 KSKs (2048 bits) and 2 ZSKs (1024 bits)
  Are you sure? [y/N] 
  y
  Created KSK size: 2048, alg: 8 with id: b2ef8697d6b69c563bbbe7240f19ea21 in repository: thales and database.
  Created KSK size: 2048, alg: 8 with id: d297acdb3da9c037a41a93c0bc759125 in repository: thales and database.
  Created ZSK size: 1024, alg: 8 with id: 37de55772bdd4d2dd7dc855718c76763 in repository: thales and database.
  Created ZSK size: 1024, alg: 8 with id: 994d1945737cc3a65f6cd60d8ed70031 in repository: thales and database.
  all done! hsm_close result: 0

Now running OpenDNSSEC it works:
  ods-signerd: [hsm] libhsm connection opened succesfully
  ods-signerd: [engine] signer started (version 1.4.5), pid 15782
  ods-enforcerd: Zone web.za found.
  ods-enforcerd: Policy for web.za set to zacr-nsec3.
  ods-enforcerd: Config will be output to /var/opendnssec/signconf/web.za.xml.
  ods-enforcerd: ZSK key allocation for zone web.za: 1 key(s) allocated
  ods-enforcerd: KSK key allocation for zone web.za: 1 key(s) allocated
  ods-signerd: [signconf] zone za signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT604800S] DENIAL[PT604800S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime]
  ods-signerd: [signconf] zone web.za signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT604800S] DENIAL[PT604800S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime]
  ods-signerd: [namedb] zone za unable to use unixtime as serial: 1401279757 does not increase 2014030508. Serial set to 2014030509
  ods-signerd: [STATS] za 2014030509 RR[count=135 time=0(sec)] NSEC3[count=3 time=0(sec)] RRSIG[new=10 reused=0 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] 
  ods-signerd: [STATS] web.za 1401279757 RR[count=453 time=0(sec)] NSEC3[count=58 time=0(sec)] RRSIG[new=116 reused=0 time=1(sec) avg=116(sig/sec)] TOTAL[time=1(sec)] 

Regards
—
David Peall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4148 bytes
Desc: not available
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140528/b650e402/attachment.bin>


More information about the Opendnssec-user mailing list