On Thu, Feb 18, 2021 at 9:55 AM (Berry) A.W. van Halderen via Opendnssec-user <opendnssec-user@lists.opendnssec.org> wrote: > > On Tue, Feb 09, 2021 at 01:43:09PM -0800, Randy Bush via Opendnssec-user > wrote: > > opendnssec version 2.1.7 > > softhsm 1.3.8 > > > > Feb 8 20:07:33 rap ods-enforcerd[676]: [enforcer] update: > > key_data_update() failed > > > > goog gives no hits for key_data_update() failed > > > > I've had one report earlier, but that one was somewhat uncertain. Now > with your report and from Roman Serbski there seems to be more of a > pattern. > > The message itself is too technical IMO, and should not be logged this > way, as many others are. Instead there should have been a message > that a key transaction could not be completed because the change could > not be persisted into the database, and will be tried again. > > Technically an update query to the database failed, or did not change > anything in the database as would have been expected. It's hard to > speculate why, because there should not be any valid reason for this. > > - No narrow down my research, is this based on a MySQL database? > - Does the problem persist, i.e. does this message keep or appearing? > - This can be explicitly tested using the command "ods-enforcer enforce". > - Does the problem persist even after a restart of the enforcer > "ods-enforcer stop ; ods-enforcer start"? > - How many zones does the enforcer handle? > - Are there any other log messages which might help me? > > There should be no problem if the problem does not persist, as the > transaction should be retried, but again, it should not happen in > any circumstance, apart from actually stopping the database. > > \Berry > > P.S.: The imminent 2.1.8 release with a fix to purging of the keys, > cannot be related to this issue.
Hi Berry, Thank you for your reply. I started reading the thread from November (https://lists.opendnssec.org/pipermail/opendnssec-user/2020-November/004551.html) and I might be wrong but I think it's related. I'm experiencing the same behavior as Paul Wouters (https://lists.opendnssec.org/pipermail/opendnssec-user/2020-November/004552.html) -- it takes several minutes to list all keys. Actually, the key from my initial email has never been purged from the HSM: %ods-hsmutil list | grep f30eafaf208d0cab57cda29a75b62820 SoftHSM f30eafaf208d0cab57cda29a75b62820 RSA/1024 I've seen key_data_update() error with SoftHSM 1 too (I've only recently upgraded to SoftHSM 2). Regarding your questions: > - No narrow down my research, is this based on a MySQL database? I've always been using SQLite (sqlite3-3.34.1 to be precise). > - Does the problem persist, i.e. does this message keep or appearing? > - This can be explicitly tested using the command "ods-enforcer enforce". > - Does the problem persist even after a restart of the enforcer > "ods-enforcer stop ; ods-enforcer start"? I haven't seen it reappearing for the same key. I think it occurs only once, at the moment the key is supposed to get purged from the HSM. So if I look at the zone in question, everything seems to be fine from the enforcer perspective: % ods-enforcer key list -v | grep domain.org domain.org KSK active 2021-02-21 08:57:12 2048 8 e8f6629b6fd5d7d466f892cf0921091f SoftHSM 57760 domain.org ZSK active 2021-02-21 08:57:12 1024 8 e9ab74866bfad3fd7db73efe73b4e40f SoftHSM 27328 But the key (ZSK) that was renewed is still in the HSM: %ods-hsmutil list | grep f30eafaf208d0cab57cda29a75b62820 SoftHSM f30eafaf208d0cab57cda29a75b62820 RSA/1024 > - How many zones does the enforcer handle? 82 > - Are there any other log messages which might help me? No other logs present. Would be happy to provide further info in case needed. Thank you. _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
