[Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover

Anne van Bemmelen Anne.vanBemmelen at sidn.nl
Thu Apr 7 06:47:58 UTC 2016

Dear listmembers,
During a regular enforcerd wake up a new ZSK was created, according to the regular scheme.
Immediately after this wake up the critical issue 'CKR_OBJECT_HANDLE_INVALID' was logged, see below this message.
Signing the involved zone wasn't possible.
Signing of other zones was not impacted.

Workaround: restart ODS.

But this is the third time this happened, and although for a different zone in exactly the same circumstances.

The first and second time we used this configuration:

-          RedHat 5

-          ODS v1.3.5

-          HSM Luna SA4

This third time we used the new configuration:

-          Ubuntu 14.04

-          ODS v1.4.7

-          HSM Luna SA6


-          did anyone notice this before

-          what can be the cause of this error

-          what can I do to fix this

Some relevant logging:
Apr  5 20:49:11 myhost ods-enforcerd: Created key in repository ...
Apr  5 20:49:11 myhost ods-enforcerd: Created ZSK size: 1024, alg: 8 with id********  in repository: ... and database.
Apr  5 20:49:12 myhost ods-enforcerd: Sleeping for 3600 seconds.
Apr  5 20:49:12 myhost ods-signerd: [hsm] C_GetAttributeValue: CKR_OBJECT_HANDLE_INVALID
Apr  5 20:49:12 myhost ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
Apr  5 20:49:12 myhost ods-signerd: [zone] unable to publish dnskeys for zone myzone: error creating dnskey
Apr  5 20:49:12 myhost ods-signerd: [tools] unable to read zone myzone: failed to publish dnskeys (General error)
Apr  5 20:49:13 myhost ods-signerd: [worker[3]] CRITICAL: failed to sign zone myzone: General error

Kind regards,
Anne (A.) van Bemmmelen

[cid:image002.png at 01D1708C.13C98000]

SIDN | Meander 501 | 6825 MD | PO Box 5022 | 6802 EA | ARNHEM | The Netherlands
T +31 (0)26 352 55 00 | M +31 (0)6 150 633 96
anne.vanbemmelen at sidn.nl<mailto:anne.vanbemmelen at sidn.nl> | www.sidn.nl<http://www.sidn.nl/> | Key-ID: 0xB8A5F0B2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160407/79046c4c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5399 bytes
Desc: image001.png
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160407/79046c4c/attachment.png>

More information about the Opendnssec-user mailing list