[Opendnssec-user] [hsm] unable to get key

Michael Grimm trashcan at ellael.org
Thu Apr 15 19:29:42 UTC 2021


I am running opendnssec 2.1.8 and softhsm2 2.6.1 in a jail on a recent FreeBSD 13-STABLE system.

Today, out of a sudden, I am getting those errors for all of my domains (e.g. example.tld):

Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] running as pid 52482
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] enforcer started
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer] update zone: example.tld
Apr 15 11:10:45 <local0.err> ods-enforcerd[52482]: [hsm_key_factory_delete_key] looking for keys to purge from HSM
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer] removeDeadKeys: keys deleted from HSM: 0
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforce_task] No changes to signconf file required for zone example.tld
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get key: key c9b713853a6757d0ac806ddc6384968c not found
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] hsm_get_dnskey(): Got NULL key
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get key: hsm failed to create dnskey
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [zone] unable to prepare signing keys for zone example.tld: error getting dnskey
Apr 15 11:10:46 <local0.crit> ods-signerd[52488]: [worker[1]] CRITICAL: failed to sign zone example.tld: General error
Apr 15 11:10:46 <local0.notice> ods-signerd[52488]: back-off task [sign] for zone example.tld with 60 seconds

I didn't change anything, but immediately after a restart of the jail those messages started.

All my keys shown by 'ods-enforcer key list --verbose' can be found in the SoftHSM2 database 'ods-hsmutil list', and all those keys (e.g. c9b713853a6757d0ac806ddc6384968c) not. That explains the complaints e.g. 'key c9b713853a6757d0ac806ddc6384968c not found'.

But why does the signer looks for keys not available in the hsm database?

Any ideas regarding this and how to debug this issue?

Thanks in advance and with kind regards,

More information about the Opendnssec-user mailing list