[Opendnssec-user] Missing keys and various other problems on 2.0

Berry A.W. van Halderen berry at nlnetlabs.nl
Mon Jul 2 08:33:28 UTC 2018


On 06/28/2018 02:06 PM, Casper Gielen wrote:
> 25-06-18 om 17:05 schreef Casper Gielen:
>>> Are you using SoftHSM as HSM?  If so, which version?
>>> There is a known, resolved issue with certain versions.
>>
>> I just switched to SoftHSM 2.4.0, from Debian Unstable.
>> I'll run it for a bit and see if anything improves.
> 
> 
> After two days nothing has happened. That is, all keys seem to be in
> exactly the same state as two days ago.
> 
> Calling 'ods-enforcer enforce' manually does trigger something, but the
> enforcer is not able to talk to our SQL server.
> 
> Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare SQL SELECT
> policy.id, policy.rev, policy.name, policy.description,
> policy.signaturesResign, policy.signaturesRefresh,
> policy.signaturesJitter, policy.signaturesInceptionOffset,
> policy.signaturesValidityDefault, policy.signaturesValidityDenial, po
> licy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl,
> policy.denialType, policy.denialOptout, policy.denialTtl,
> policy.denialResalt, policy.denialAlgorithm, policy.denialIterations,
> policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange,
> policy.keysTtl, policy.keysRetireSafety
> , policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter,
> policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum,
> policy.zoneSoaSerial, policy.parentRegistrationDelay,
> policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl,
> policy.parentSoaMinimum, policy.p
> assthrough FROM policy WHERE policy.id = ?
> Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare Err 2006: MySQL
> server has gone away
> Jun 28 11:52:16 ramachandra ods-enforcerd:
> [hsm_key_factory_generate_task] generate for policy key [duration: 0]
> Jun 28 11:52:16 ramachandra ods-enforcerd: [hsm_key_factory_generate]
> repository LocalHSM role KSK
> Jun 28 11:52:16 ramachandra ods-enforcerd: SELECT COUNT(*) FROM hsmKey
> WHERE hsmKey.policyId = ? AND hsmKey.state = ? AND hsmKey.bits = ? AND
> hsmKey.algorithm = ? AND hsmKey.role = ? AND hsmKey.isRevoked = ? AND
> hsmKey.keyType = ? AND hsmKey.repository = ?
> Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare SQL SELECT
> COUNT(*) FROM hsmKey WHERE hsmKey.policyId = ? AND hsmKey.state = ? AND
> hsmKey.bits = ? AND hsmKey.algorithm = ? AND hsmKey.role = ? AND
> hsmKey.isRevoked = ? AND hsmKey.keyType = ? AND hsmKey.repository = ?
> Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare Err 2006: MySQL
> server has gone away
> 
> After restarting the enforcer it connects correctly to MySQL and the
> keys start advancing through the various states.

That would be known issue:
https://issues.opendnssec.org/browse/OPENDNSSEC-913

There is some code which "keeps" the connection alive, but in case
the connection goes anyway, it won't reconnect.  There are two
reasons for a connection to get lost:
- A deliberate restart of the database.  Althrough we should address
  this, it's not a very frequent case.
- A too short timeout on the mysql/mariadb compared to how often
  the enforcer wakes up to check zones.  Can also be adressed as above
  but often also resolved by larger settings to interactive_timeout
  (and possible wait_timeout, though that shouldn't).

> I've added a cron-job that restarts the enforcer every 6 hours.
> That's not ideal but should make clear if the problem is just that the
> enforcer gets stuck and thus misses its deadlines, or if the problems go
> deeper.

Please let us know how you fare with that.

\Berry



More information about the Opendnssec-user mailing list