[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error
PGNet Dev
pgnet.dev at gmail.com
Thu Jan 19 17:27:33 UTC 2017
On 01/19/2017 09:03 AM, Michael Grimm wrote:
> Generating 512-bit DSA key... Failed
> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
>
> Generating 768-bit DSA key... Failed
> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
>
> Generating 1024-bit DSA key... Failed
> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
>
> Generating 512-bit GOST key... Failed
> generate key pair: CKR_MECHANISM_INVALID
>
> Segmentation fault (core dumped)
>
>
>
> Hmmm!? What does that mean? I guess I should be worried.
Without seeing a trace, my 1st *guess* would be that the linked Botan or
OpenSSL (DID softhsm1 even support OpenSSL?) crypto backend doesn't have
DSA enabled, or is somehow busted.
Just curious -- where are you getting your Softhsm/ODS installs?
DIY?
Distro pkgs?
> What to do next:
>
> #) would such a database be possible to migrate to softhsm2? Either by the migration script or manually (export, import)?
> #) should I try to trigger a manual ZSK rollover for the erratic domain?
> #) anything else?
>
> #) I am already thinking about a worst case scenario: Restarting from scratch (only 9 domains involved). I have read that it should be possible to run two opendnssec versions in parallel. Can you confirm this?
Just my $0.02 ... and, I'm certainly not one of the devs.
I'd had zero luck getting softhsm1x and ods1x working on my system; if
it wasn't one thing it was another.
Yes, I know, others obviously have it working.
I moved, instead to building from src
ldns 1.7.x
softhsm 2.3.x, backed by openssl 1.0.2j
ods 2.1.x
and run under systemd.
Since, I've have had a much more reliable system.
IIUC from a previous post, ods 2.1 is targeted for _release_ end of Jan.
Apart from the fact that it all works (so far) it's also, inevitably,
where new development will be.
YMMV.
More information about the Opendnssec-user
mailing list