[Opendnssec-user] Release of OpenDNSSEC 2.1.10

Ton Amsterdam ton.amsterdam.nl at gmail.com
Tue Oct 12 08:04:52 UTC 2021


We are still seeing: "key_data_update() failed"

Oct 11 05:03:13 signer ods-enforcerd[6452]: [enforcer] removeDeadKeys
deleting key: 60e49cfb7857be2942afa451c0654c98
Oct 11 05:03:13 signer ods-enforcerd[6452]: [hsm_key_factory_get_key]
removing key 60e49cfb7857be2942afa451c0654c98 from HSM
Oct 11 05:03:13 signer ods-enforcerd[6452]: [enforcer] removeDeadKeys:
keys deleted from HSM: 1
Oct 11 05:03:13 signer ods-enforcerd[6452]: [enforcer] update:
key_data_update() failed
Oct 11 18:30:18 signer ods-enforcerd[6452]: [enforcer] removeDeadKeys
deleting key: 96a5d13abd2cc3246e703cfdd429a0d2
Oct 11 18:30:18 signer ods-enforcerd[6452]: [hsm_key_factory_get_key]
removing key 96a5d13abd2cc3246e703cfdd429a0d2 from HSM
Oct 11 18:30:18 signer ods-enforcerd[6452]: [enforcer] removeDeadKeys:
keys deleted from HSM: 1
Oct 11 18:30:18 signer ods-enforcerd[6452]: [enforcer] update:
key_data_update() failed

for key rollovers.

We upgraded on Oct 10 to 2.1.10



On Sat, Sep 11, 2021 at 1:05 PM Berry van Halderen via Opendnssec-user
<opendnssec-user at lists.opendnssec.org> wrote:
>
> Dear all,
>
> Just released, OpenDNSSEC 2.1.10, available immediately from our regular
> download site:
>
> https://dist.opendnssec.org/source/opendnssec-2.1.10.tar.gz
>
> SHA256: c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756
>
> This release addresses an automatic resalting after a migration from 1.4
> and an error manifesting as a key_data_update failure in the logs where
> a retired key wasn't removed from the signer configuration in time in
> certain circumstances.
> Also an RPM is now provided for RHEL/CentOS distros at the same download
> location:  https://dist.opendnssec.org/source/
>
> \Berry
>
> * OPENDNSSEC-957: Fix exit code signer daemon to not always report
> failure.
> * OPENDNSSEC-958: Fix immediate resalting after migration from 1.4.
> * OPENDNSSEC-959: Emit warning on ods-kaspcheck for NSEC iteration count
>    that is deemed too high.
> * SUPPORT-265: Resolve conflict when deleting keys from HSM whilst
>    also performing step in key roll process.  Typically a message
>    "key_data_update failed" is present in logs.
> * Provided RedHat/CentOS spec file in contrib directory.
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


More information about the Opendnssec-user mailing list