[Opendnssec-user] hsm unable to get key
Havard Eidnes
he at uninett.no
Tue Dec 5 18:22:32 UTC 2023
> freebsd 13.1
> opendnssec 2.1.10
> softhsm 1.3.8
>
> things running happily for months. suddenly, i have logs full of
>
> Apr 9 21:22:12 rip ods-enforcerd[35513]: [hsm_key_factory_delete_key] looking for keys to purge from HSM
> Apr 9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: key c6ab03c6ecd8ca4e9d57eae9ccc79a69 not found
> Apr 9 21:22:15 rip ods-signerd[35519]: [hsm] hsm_get_dnskey(): Got NULL key
> Apr 9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: hsm failed to create dnskey
> Apr 9 21:22:15 rip ods-signerd[35519]: [zone] unable to prepare signing keys for zone 150.180.198.in-addr.arpa: error getting dnskey
> Apr 9 21:22:15 rip ods-signerd[35519]: [worker[1]] CRITICAL: failed to sign zone 150.180.198.in-addr.arpa: General error
>
> https://issues.opendnssec.org/browse/SUPPORT-278 does not enlighten me
> much more; though maybe that's my fault.
Maybe... I just picked up the suggested patch to the signer
attached to that problem report and applied it to the NetBSD
package together with two other minder cosmetic issues I had
lying around fixes for, ref.
http://mail-index.netbsd.org/pkgsrc-changes/2023/12/05/msg288131.html
If the submitter is correct, this is a concurrency issue, and
serializing the calls to hsm_get_dnskey() appears to work around
this issue for the submitter.
Looking back at my logs, it looks like I got a spate of these
messages last January / February.
The problem is probably reliably reproducing this issue at will.
If it is as surmised, it's possible that this problem will clear
on the next re-run (or the one after that or ...) as signature
generation is "spread out" scheduling-wise.
Regards,
- Håvard
More information about the Opendnssec-user
mailing list