[Opendnssec-user] [hsm] unable to get key

Berry A.W. van Halderen berry at nlnetlabs.nl
Wed Feb 13 13:44:40 UTC 2019


On 2/12/19 11:09 AM, Stephane Bortzmeyer wrote:
> One of my zones (I have several on the same OpenDNS instance, the
> others seem to work) is no longer signed. The log says:
> 
> Feb 12 11:00:47 server ods-signerd[472]: ObjectFile.cpp(122): The attribute does not exist: 0x00000002
> Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: key 548a9238dd2b608c488ddb6ba08796fb not found
> Feb 12 11:00:47 server ods-signerd[472]: [hsm] hsm_get_dnskey(): Got NULL key
> Feb 12 11:00:47 server ods-signerd[472]: [hsm] unable to get key: hsm failed to create dnskey
> Feb 12 11:00:47 server ods-signerd[472]: [zone] unable to publish dnskeys for zone cyberstructure.fr: error creating dnskey
> Feb 12 11:00:47 server ods-signerd[472]: [tools] unable to read zone cyberstructure.fr: failed to publish dnskeys (General error)
> Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] CRITICAL: failed to sign zone cyberstructure.fr: General error
> Feb 12 11:00:47 server ods-signerd[472]: [worker[1]] backoff task [read] for zone cyberstructure.fr with 3600 seconds
> 
> Then, longer term: what happened?
> 
> OpenDNSSEC 2.0.4 running on Debian "stretch" (stable). "HSM" is
> SoftHSM 2.2.0.
> _______________________________________________
> 

Yes, the microsoft solution (restart) will get you out of this.  In
order to further prevent similar situation, please upgrade OpenDNSSEC
and SoftHSM.  Certain OpenDNSSEC versions had a race conditions
regarding missing keys, but in your case (which I can tell because of
the first line in the logs), upgrading SoftHSM will get you a
fix for issue #358 regarding concurrency on SoftHSM.

Regarding other HSMs mentioned in this thread I cannot speculate
at the moment without knowing the version number of OpenDNSSEC.
Also I'm unaware of the ability of these HSMs to properly support
concurrent access to the HSM by multiple applications.

What ODS does is, that one program lets the HSM generate keys,
and after this is done, it signals the other program (enforcer
to signer) which key to use.  If the key isn't available immediately
(which it should, but let's be forgiving) then the signer
will try to do again later.  It only a restart will solve the
problem then it is never possible to run any signer with external
key generator and it is only possible to integrate all your
software in one monolith or run any signer in one-shot mode or
closing and reconnecting to the HSM.

Such a workaround is a pain and really the HSM would need an update.
So I don't want to do such a hack without proper reason.

\Berry



More information about the Opendnssec-user mailing list