[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Michael Grimm trashcan at ellael.org
Thu Jan 19 17:03:00 UTC 2017 

Hi —

@Berry: you asked for ...
dns> ls -al /usr/local/lib/softhsm/libsofthsm.so
-rwxr-xr-x  1 root  wheel  149136 Jan 13 22:03 /usr/local/lib/softhsm/libsofthsm.so

Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:

>> I don't mean that, perhaps the policy has been changed such that now
>> an algorithm or key length is being requested that isn't supported?
> 
> Ah. I wondered why you asked. :)
> 
> Yes, exactly that, an unsupported algorithm or keylength or a bad
> combination of the two might spurr similar errors on 1.4. I think.

Hmm. I came about "ods-hsmutil test" and tried it on a copy of 

dns> ods-hsmutil info
Repository: SoftHSM
	Module:        /usr/local/lib/softhsm/libsofthsm.so
	Slot:          0
	Token Label:   OpenDNSSEC                      
	Manufacturer:  SoftHSM                         
	Model:         SoftHSM         
	Serial:        1               

dns|root> ods-hsmutil -v test SoftHSM
Testing repository: SoftHSM

Generating 512-bit RSA key... OK
Extracting key identifier... OK, 0c912e61825b94cd1508dc2759990d81
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Deleting key... OK

Generating 768-bit RSA key... OK
Extracting key identifier... OK, deec6a16dab536014f97e9d7fb2425d2
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Deleting key... OK

Generating 1024-bit RSA key... OK
Extracting key identifier... OK, 4c811b6400962ac1d2315c6f04e9b9b6
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 1536-bit RSA key... OK
Extracting key identifier... OK, 1c9d249bf36560a2a98d3adf35107344
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 2048-bit RSA key... OK
Extracting key identifier... OK, 7752b3962e79f9bdc7c51639d8645715
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 4096-bit RSA key... OK
Extracting key identifier... OK, 264f708cb68c8618100f0e5503da6d42
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 512-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED

Generating 768-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED

Generating 1024-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED

Generating 512-bit GOST key... Failed
generate key pair: CKR_MECHANISM_INVALID

Segmentation fault (core dumped)



Hmmm!? What does that mean? I guess I should be worried.

What to do next:

#) would such a database be possible to migrate to softhsm2? Either by the migration script or manually (export, import)?
#) should I try to trigger a manual ZSK rollover for the erratic domain?
#) anything else?

#) I am already thinking about a worst case scenario: Restarting from scratch (only 9 domains involved). I have read that it should be possible to run two opendnssec versions in parallel. Can you confirm this?

Thank you very much that you are still trying to help me,
Michael

More information about the Opendnssec-user mailing list