[Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover

Anne van Bemmelen Anne.vanBemmelen at sidn.nl
Fri Apr 8 09:15:34 UTC 2016


Thanks Berry.
Can you tell us when the 1.4 version with the fix is likely to be released?


Kind regards,
Anne (A.) van Bemmelen


SIDN | Meander 501 | 6825 MD | PO Box 5022 | 6802 EA | ARNHEM | The Netherlands
T +31 (0)26 352 55 00 | M +31 (0)6 150 633 96
anne.vanbemmelen at sidn.nl | www.sidn.nl | Key-ID: 0xB8A5F0B2





-----Original Message-----
From: Opendnssec-user [mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of Berry A.W. van Halderen
Sent: donderdag 7 april 2016 9:33
To: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover

On 04/07/2016 08:47 AM, Anne van Bemmelen wrote:
> Dear listmembers,
> 
> During a regular enforcerd wake up a new ZSK was created, according to
> the regular scheme.
> 
> Immediately after this wake up the critical issue
> 'CKR_OBJECT_HANDLE_INVALID' was logged, see below this message.
> 
> Signing the involved zone wasn't possible.
> 
> Signing of other zones was not impacted.
> 

We have seen this issue in 1.4 and 2.0, and are on the track of
solving this issue in those versions.  I am however surprised that
this issue also occurs on your Luna HSM.  The cases we have seen it
is where a key is created in the enforcer, but is not yet available
to the signer.  Your conclusion might be the HSM is slow to make
it available, but I won't go this far as also the signer does not
properly handle this.

I am not too familiar with the 1.3 branch, whether this is truely
the same issue.

With kind regards,
Berry van Halderen

> 
> Workaround: restart ODS.
> 
>  
> 
> But this is the third time this happened, and although for a different
> zone in exactly the same circumstances.
> 
>  
> 
> The first and second time we used this configuration:
> 
> -          RedHat 5
> 
> -          ODS v1.3.5
> 
> -          HSM Luna SA4
> 
>  
> 
> This third time we used the new configuration:
> 
> -          Ubuntu 14.04
> 
> -          ODS v1.4.7
> 
> -          HSM Luna SA6
> 
>  
> 
> Questions:
> 
> -          did anyone notice this before
> 
> -          what can be the cause of this error
> 
> -          what can I do to fix this
> 
>  
> 
> Some relevant logging:
> 
> Apr  5 20:49:11 myhost ods-enforcerd: Created key in repository .
> 
> Apr  5 20:49:11 myhost ods-enforcerd: Created ZSK size: 1024, alg: 8
> with id********  in repository: . and database.
> 
> [.]
> 
> Apr  5 20:49:12 myhost ods-enforcerd: Sleeping for 3600 seconds.
> 
> Apr  5 20:49:12 myhost ods-signerd: [hsm] C_GetAttributeValue:
> CKR_OBJECT_HANDLE_INVALID
> 
> Apr  5 20:49:12 myhost ods-signerd: [hsm] unable to get key: hsm failed
> to create dnskey
> 
> Apr  5 20:49:12 myhost ods-signerd: [zone] unable to publish dnskeys for
> zone myzone: error creating dnskey
> 
> Apr  5 20:49:12 myhost ods-signerd: [tools] unable to read zone myzone:
> failed to publish dnskeys (General error)
> 
> Apr  5 20:49:13 myhost ods-signerd: [worker[3]] CRITICAL: failed to sign
> zone myzone: General error
> 
>  
> 
>  
> 
> Kind regards,
> 
> Anne (A.) van Bemmmelen
> 
>  
> 
> cid:image002.png at 01D1708C.13C98000
> 
>  
> 
> SIDN | Meander 501 | 6825 MD | PO Box 5022 | 6802 EA | ARNHEM | The
> Netherlands
> 
> T +31 (0)26 352 55 00 | M +31 (0)6 150 633 96
> 
> anne.vanbemmelen at sidn.nl <mailto:anne.vanbemmelen at sidn.nl>| www.sidn.nl
> <http://www.sidn.nl/>| Key-ID: 0xB8A5F0B2
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list