[Opendnssec-user] Release OpenDNSSEC 2.1.8

(Berry) A.W. van Halderen berry at nlnetlabs.nl
Fri Mar 5 10:08:08 UTC 2021


On Wed, Mar 03, 2021 at 12:03:19PM +0100, Fred. Zwarts via Opendnssec-user wrote:
> Op 20.feb..2021 om 23:03 schreef (Berry) A.W. van Halderen via
> Opendnssec-user:
> > Version 2.1.8 of OpenDNSSEC has been released today, 20/Februari/2021.
> > 
> I installed the new version on our test system. When it started the first
> time, it purged many keys from SoftHSM. I was more or less expecting this.
> Now, a few days later, I see hundreds of messages in the logs. They started
> spontaneously already two days before the installation of the new version
> and are still showing up with the new version. They look as follows:
> 
> > /var/log/messages-20210303:2021-03-02T08:44:58.353792+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T08:44:58.356143+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T08:44:58.358105+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T08:44:58.359132+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T09:43:58.361759+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T09:44:58.366770+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T09:44:58.368808+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T09:44:58.370643+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T09:44:58.372153+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T10:43:58.379885+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T10:44:58.379773+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T10:44:58.386263+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T10:44:58.390480+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T10:44:58.391639+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T11:43:58.392371+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T11:44:58.399582+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T11:44:58.404666+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T11:44:58.406427+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T11:44:58.407411+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T12:43:58.413799+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T12:44:58.419148+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T12:44:58.421180+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T12:44:58.423065+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T12:44:58.425057+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T13:43:58.425271+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T13:44:58.425789+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /var/log/messages-20210303:2021-03-02T13:44:58.432387+01:00 kvivs20 ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
> > /
> 
> As you can see, they appear in bursts every hour. I wonder whether I have to
> worry about these messages and if so, how to diagnose and solve the problem.

That aint' good.  Since I see mulitple messages per time slot (hour).
Therefor am I correct you halve multiple zones in this installation (4+)?

Can you share the signconf files (.../var/opendnssec/signconf/*.xml) files
with me?
I have a suspicioun that one of the keys that are not in the zone anymore
is still left as reference.  That shouldn't happen but can be corrected
without ill effects.
If I'm correct it will go away but that may take too long.
Otherwise it would be more of a riddle and without a good explanation
a problem (because it could mean a zone not being signed).

\Berry


More information about the Opendnssec-user mailing list