[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Jan 20 09:27:01 UTC 2017

> dns|root> ods-hsmutil -v test SoftHSM

Hmm this shows that generating new keys is not a problem perse. Can you
send me your kasp.xml?

> Segmentation fault (core dumped) Hmmm!? What does that mean? I guess
> I should be worried.

A crash in ods-hsmutil. It should have created a coredump file. (likely
named something like ods-hsmutil.core). Perhaps I can extract some info
from it if you send it to me together with the ods-hsmutil executable
from your system.

> What to do next:
> #) would such a database be possible to migrate to softhsm2? Either
> by the migration script or manually (export, import)?

If this is indeed a softhsm issue it might work. I'm not involved in the
SoftHSM development but as far as I know SoftHSMv2 includes a
softhsm2-migrate program to do this import for you.

> #) should I try to trigger a manual ZSK rollover for the erratic
> domain?

It seems to have trouble generating new keys from the enforcer. So I
don't think that would help you.

> #) I am already thinking about a worst case scenario: Restarting from
> scratch (only 9 domains involved). I have read that it should be
> possible to run two opendnssec versions in parallel. Can you confirm
> this?

It is perfectly possible to run two instances in parallel. Though you
have to make sure you set all the paths correctly so that config files,
PID files, tmp files etc don't mix.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170120/34885f65/attachment.bin>

More information about the Opendnssec-user mailing list