[Opendnssec-user] Release OpenDNSSEC 2.1.8

Fred. Zwarts F.Zwarts at KVI.nl
Wed Mar 3 11:03:19 UTC 2021 

Op 20.feb..2021 om 23:03 schreef (Berry) A.W. van Halderen via 
Opendnssec-user:
> Version 2.1.8 of OpenDNSSEC has been released today, 20/Februari/2021.
> 
> This release of 2.1.8 fixes a number of bugs related to the purging of
> keys, a potential denial of service vulnerability in some installations,
> and a few rarer but nasty potential crashes.  Earlier versions of
> OpenDNSSEC 2.1 might not have all keys purged from the HSM if instructed
> to do so.  Since this is now done automatically this is worth pointing out
> that this was a bug and old keys will be permanently removed from the HSM.
> 
> Either when manually purging keys, or having specified a <Purge> in
> your key policy (kasp.xml), the keys are supposed to be removed from
> the HSM.  However, for some time, the keys were marked for deletion,
> and became invisible, but the removal from the HSM was skipped.  In this
> release candidate this is fixed, but still allowing keys not to be
> removed entirely.  When you specify an automatic purge then the keys
> will, after the specified period, will be completely removed.  When you
> purge manually, keys are not removed from the HSM unless you specify an
> additional flag (the --delete or -d flag).
>  ...
I installed the new version on our test system. When it started the 
first time, it purged many keys from SoftHSM. I was more or less 
expecting this.
Now, a few days later, I see hundreds of messages in the logs. They 
started spontaneously already two days before the installation of the 
new version and are still showing up with the new version. They look as 
follows:

> /var/log/messages-20210303:2021-03-02T08:44:58.353792+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T08:44:58.356143+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T08:44:58.358105+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T08:44:58.359132+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T09:43:58.361759+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T09:44:58.366770+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T09:44:58.368808+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T09:44:58.370643+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T09:44:58.372153+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T10:43:58.379885+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T10:44:58.379773+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T10:44:58.386263+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T10:44:58.390480+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T10:44:58.391639+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T11:43:58.392371+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T11:44:58.399582+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T11:44:58.404666+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T11:44:58.406427+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T11:44:58.407411+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T12:43:58.413799+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T12:44:58.419148+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T12:44:58.421180+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T12:44:58.423065+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T12:44:58.425057+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T13:43:58.425271+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T13:44:58.425789+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /var/log/messages-20210303:2021-03-02T13:44:58.432387+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> /

As you can see, they appear in bursts every hour. I wonder whether I 
have to worry about these messages and if so, how to diagnose and solve 
the problem.

More information about the Opendnssec-user mailing list