[Opendnssec-user] key_data_update() failed
Roman Serbski
mefystofel at gmail.com
Thu Feb 18 10:56:19 UTC 2021
On Thu, Feb 18, 2021 at 9:55 AM (Berry) A.W. van Halderen via
Opendnssec-user <opendnssec-user at lists.opendnssec.org> wrote:
>
> On Tue, Feb 09, 2021 at 01:43:09PM -0800, Randy Bush via Opendnssec-user wrote:
> > opendnssec version 2.1.7
> > softhsm 1.3.8
> >
> > Feb 8 20:07:33 rap ods-enforcerd[676]: [enforcer] update: key_data_update() failed
> >
> > goog gives no hits for key_data_update() failed
> >
>
> I've had one report earlier, but that one was somewhat uncertain. Now
> with your report and from Roman Serbski there seems to be more of a
> pattern.
>
> The message itself is too technical IMO, and should not be logged this
> way, as many others are. Instead there should have been a message
> that a key transaction could not be completed because the change could
> not be persisted into the database, and will be tried again.
>
> Technically an update query to the database failed, or did not change
> anything in the database as would have been expected. It's hard to
> speculate why, because there should not be any valid reason for this.
>
> - No narrow down my research, is this based on a MySQL database?
> - Does the problem persist, i.e. does this message keep or appearing?
> - This can be explicitly tested using the command "ods-enforcer enforce".
> - Does the problem persist even after a restart of the enforcer
> "ods-enforcer stop ; ods-enforcer start"?
> - How many zones does the enforcer handle?
> - Are there any other log messages which might help me?
>
> There should be no problem if the problem does not persist, as the
> transaction should be retried, but again, it should not happen in
> any circumstance, apart from actually stopping the database.
>
> \Berry
>
> P.S.: The imminent 2.1.8 release with a fix to purging of the keys,
> cannot be related to this issue.
Hi Berry,
Thank you for your reply.
I started reading the thread from November
(https://lists.opendnssec.org/pipermail/opendnssec-user/2020-November/004551.html)
and I might be wrong but I think it's related. I'm experiencing the
same behavior as Paul Wouters
(https://lists.opendnssec.org/pipermail/opendnssec-user/2020-November/004552.html)
-- it takes several minutes to list all keys.
Actually, the key from my initial email has never been purged from the HSM:
%ods-hsmutil list | grep f30eafaf208d0cab57cda29a75b62820
SoftHSM f30eafaf208d0cab57cda29a75b62820 RSA/1024
I've seen key_data_update() error with SoftHSM 1 too (I've only
recently upgraded to SoftHSM 2).
Regarding your questions:
> - No narrow down my research, is this based on a MySQL database?
I've always been using SQLite (sqlite3-3.34.1 to be precise).
> - Does the problem persist, i.e. does this message keep or appearing?
> - This can be explicitly tested using the command "ods-enforcer enforce".
> - Does the problem persist even after a restart of the enforcer
> "ods-enforcer stop ; ods-enforcer start"?
I haven't seen it reappearing for the same key. I think it occurs only
once, at the moment the key is supposed to get purged from the HSM.
So if I look at the zone in question, everything seems to be fine from
the enforcer perspective:
% ods-enforcer key list -v | grep domain.org
domain.org KSK active 2021-02-21
08:57:12 2048 8 e8f6629b6fd5d7d466f892cf0921091f
SoftHSM 57760
domain.org ZSK active 2021-02-21
08:57:12 1024 8 e9ab74866bfad3fd7db73efe73b4e40f
SoftHSM 27328
But the key (ZSK) that was renewed is still in the HSM:
%ods-hsmutil list | grep f30eafaf208d0cab57cda29a75b62820
SoftHSM f30eafaf208d0cab57cda29a75b62820 RSA/1024
> - How many zones does the enforcer handle?
82
> - Are there any other log messages which might help me?
No other logs present.
Would be happy to provide further info in case needed.
Thank you.
More information about the Opendnssec-user
mailing list