[Opendnssec-user] [hsm] unable to get key

Berry van Halderen berry at nlnetlabs.nl
Thu Apr 15 20:04:02 UTC 2021

On 2021-04-15 21:29, Michael Grimm via Opendnssec-user wrote:
> Hi,
> I am running opendnssec 2.1.8 and softhsm2 2.6.1 in a jail on a recent
> FreeBSD 13-STABLE system.
> Today, out of a sudden, I am getting those errors for all of my
> domains (e.g. example.tld):
> Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] running
> as pid 52482
> Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] enforcer 
> started
> Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer]
> update zone: example.tld
> Apr 15 11:10:45 <local0.err> ods-enforcerd[52482]:
> [hsm_key_factory_delete_key] looking for keys to purge from HSM
> Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer]
> removeDeadKeys: keys deleted from HSM: 0
> Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforce_task]
> No changes to signconf file required for zone example.tld
> ...
> Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get
> key: key c9b713853a6757d0ac806ddc6384968c not found
> Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm]
> hsm_get_dnskey(): Got NULL key
> Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get
> key: hsm failed to create dnskey
> Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [zone] unable to
> prepare signing keys for zone example.tld: error getting dnskey
> Apr 15 11:10:46 <local0.crit> ods-signerd[52488]: [worker[1]]
> CRITICAL: failed to sign zone example.tld: General error
> Apr 15 11:10:46 <local0.notice> ods-signerd[52488]: back-off task
> [sign] for zone example.tld with 60 seconds
> I didn't change anything, but immediately after a restart of the jail
> those messages started.
> All my keys shown by 'ods-enforcer key list --verbose' can be found in
> the SoftHSM2 database 'ods-hsmutil list', and all those keys (e.g.
> c9b713853a6757d0ac806ddc6384968c) not. That explains the complaints
> e.g. 'key c9b713853a6757d0ac806ddc6384968c not found'.

You mention key c9b713853a6757d0ac806ddc6384968c is:
- not mentioned in ods-enforcer key list --verbose
- not mentioned in ods-hsmutil list
Can you look in files /usr/local/var/opendnssec/signconf/*
whether it is mentioned there, and if so, can provide a piece
of that XML?  I suspect it is mentioned without <Publish/> mentioned
in it's <Key> section.

Did you purge old keys yourself with an ods-enforcer key purge
command, or do you have a <Purge> mentioned in your 
configuration.  By change is it set to 0, or a quite low value?

I suspect this is an old key that was removed and with a restart there 
are still
old signatures of this key around.  A ods-signer clear <zone> will 
repair the issue,
but I'd like to harden the signer to not care about too agressive key 

> But why does the signer looks for keys not available in the hsm 
> database?

Probably because there are still signatures with this key.

> Any ideas regarding this and how to debug this issue

See above ;-)


> Thanks in advance and with kind regards,
> Michael
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list