[Opendnssec-user] signer / softHSM issues?

Havard Eidnes he at uninett.no
Sat Dec 5 19:12:24 UTC 2015 

Hi,

it seems I'm still not on friendly terms with my OpenDNSSEC
installation.  A couple of notes:

1) It seems that ods-signer doesn't (anymore?) do zone transfers
   of its own initiative, only when prodded by notify messages.
   Can someone please tell me how ods-signer's incoming zone
   transfers are supposed to be triggered?

   My checker script which checks that zone data is flowing from
   the hidden master through OpenDNSSEC in reasonable time is
   triggering that this is *NOT* happening for a number of zones.

   This may be related to the following issue, 2).

2) It seems ods-signer can get into a state where one of its
   threads is more or less busy-spinning consuming CPU.

3) It seems that after a while, SoftHSM refuses to cooperate, and
   in the log I get

Dec  5 19:30:59 odshost ods-signerd: [hsm] sign RRset[6] with key 2274002621d5c9355a250f48f1919f11 tag 63201
Dec  5 19:30:59 odshost ods-signerd: [drudger[3]] report for duty
Dec  5 19:30:59 odshost ods-signerd: [drudger[2]] report for duty
Dec  5 19:30:59 odshost ods-signerd: [rrset] sign RRset: <afs774afrhq9u2piedkpm4boamg0o190.0.1.3.0.3.3.7.4.nrenum.net,NSEC3>
Dec  5 19:30:59 odshost ods-signerd: [rrset] sign RRset: <0.0.0.1.3.0.3.3.7.4.nrenum.net,NAPTR>
Dec  5 19:30:59 odshost ods-signerd: [hsm] error signing rrset with libhsm
Dec  5 19:30:59 odshost ods-signerd: [rrset] sign RRset: <tqphsarldvidd67mcis0cnsp05qtcf6h.0.1.3.0.3.3.7.4.nrenum.net,NSEC3>
Dec  5 19:30:59 odshost ods-signerd: [drudger[3]] report for duty
Dec  5 19:30:59 odshost ods-signerd: [drudger[4]] report for duty
Dec  5 19:30:59 odshost ods-signerd: [rrset] unable to sign RRset[6]: lhsm_sign() failed

   As an operator, these are log messages which are impossible to
   relate to, because the *reason* for the lhsm_sign() failure is
   not specified, so corrective action will by necessity need to
   be based on wild guesswork.

   In connection with this, I'm wondering if in the signer
   config, what an appropriate value for <WorkerThreads> (and
   <SignerThreads>) is when using SoftHSM.  The documentation
   does not say how OpenDNSSEC and SoftHSM fit together here.

   (I started with 4, more or less "by default", bumped to 6, and
   I'm now reducing to 2 and considering 1 in order to try to
   eliminate parallelism bugs.)

Regards,

- Håvard

More information about the Opendnssec-user mailing list