[Opendnssec-user] Missing keys and various other problems on 2.0

Casper Gielen C.Gielen at uvt.nl
Thu Jun 28 12:06:49 UTC 2018


25-06-18 om 17:05 schreef Casper Gielen:
> > Are you using SoftHSM as HSM?  If so, which version?
> > There is a known, resolved issue with certain versions.
>
> I just switched to SoftHSM 2.4.0, from Debian Unstable.
> I'll run it for a bit and see if anything improves.


After two days nothing has happened. That is, all keys seem to be in
exactly the same state as two days ago.

Calling 'ods-enforcer enforce' manually does trigger something, but the
enforcer is not able to talk to our SQL server.

Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare SQL SELECT
policy.id, policy.rev, policy.name, policy.description,
policy.signaturesResign, policy.signaturesRefresh,
policy.signaturesJitter, policy.signaturesInceptionOffset,
policy.signaturesValidityDefault, policy.signaturesValidityDenial, po
licy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl,
policy.denialType, policy.denialOptout, policy.denialTtl,
policy.denialResalt, policy.denialAlgorithm, policy.denialIterations,
policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange,
policy.keysTtl, policy.keysRetireSafety
, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter,
policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum,
policy.zoneSoaSerial, policy.parentRegistrationDelay,
policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl,
policy.parentSoaMinimum, policy.p
assthrough FROM policy WHERE policy.id = ?
Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare Err 2006: MySQL
server has gone away
Jun 28 11:52:16 ramachandra ods-enforcerd:
[hsm_key_factory_generate_task] generate for policy key [duration: 0]
Jun 28 11:52:16 ramachandra ods-enforcerd: [hsm_key_factory_generate]
repository LocalHSM role KSK
Jun 28 11:52:16 ramachandra ods-enforcerd: SELECT COUNT(*) FROM hsmKey
WHERE hsmKey.policyId = ? AND hsmKey.state = ? AND hsmKey.bits = ? AND
hsmKey.algorithm = ? AND hsmKey.role = ? AND hsmKey.isRevoked = ? AND
hsmKey.keyType = ? AND hsmKey.repository = ?
Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare SQL SELECT
COUNT(*) FROM hsmKey WHERE hsmKey.policyId = ? AND hsmKey.state = ? AND
hsmKey.bits = ? AND hsmKey.algorithm = ? AND hsmKey.role = ? AND
hsmKey.isRevoked = ? AND hsmKey.keyType = ? AND hsmKey.repository = ?
Jun 28 11:52:16 ramachandra ods-enforcerd: DB prepare Err 2006: MySQL
server has gone away

After restarting the enforcer it connects correctly to MySQL and the
keys start advancing through the various states.

I've added a cron-job that restarts the enforcer every 6 hours.
That's not ideal but should make clear if the problem is just that the
enforcer gets stuck and thus misses its deadlines, or if the problems go
deeper.
-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl





More information about the Opendnssec-user mailing list