[Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Sep 6 13:04:49 UTC 2016

On 09/06/2016 02:15 PM, Juan Carlos Rodriguez wrote:
> Dear Berry,
> I think we are suffering the same error at our tests using a RHEL 7, ODS
> 1.4.7 and a HSM Luna SA7:
> Sep  6 09:16:47 dnshost ods-enforcerd: Created ZSK size: 2048, alg: 8
> with id: 812c8c298040dba470085f19bf038277 in repository: ... and database.
> Sep  6 09:17:04 dnshost ods-signerd: [hsm] Get attr value 2:
> Sep  6 09:17:04 dnshost ods-signerd: [hsm] unable to get key: key
> 812c8c298040dba470085f19bf038277 not found
> Sep  6 09:17:04 dnshost ods-signerd: [zone] unable to publish dnskeys
> for zone testzone: error creating dnskey
> Sep  6 09:17:04 dnshost ods-signerd: [tools] unable to read zone
> testzone: failed to publish dnskeys (General error)
> Could you confirm us if the 1.4 version with the fix was released?

Always impossible to give a hard confirmation.  But yes, the messages
you get are similar to the issues relating to the re-opening of the
HSM (issues OPENDNSSEC-{478,750,581,582},SUPPORT-88).
These issues are solved in 1.4.10 (and 2.0.1).

A quick restart will get you out of the immediate issues, as then the
keys should be found.  But you should upgrade to the latest 1.4.

With kind regards,
Berry van Halderen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160906/a1e31d52/attachment.bin>

More information about the Opendnssec-user mailing list