On 2021-04-15 21:29, Michael Grimm via Opendnssec-user wrote:
Hi,
I am running opendnssec 2.1.8 and softhsm2 2.6.1 in a jail on a recent
FreeBSD 13-STABLE system.
Today, out of a sudden, I am getting those errors for all of my
domains (e.g. example.tld):
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] running
as pid 52482
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] enforcer
started
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer]
update zone: example.tld
Apr 15 11:10:45 <local0.err> ods-enforcerd[52482]:
[hsm_key_factory_delete_key] looking for keys to purge from HSM
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer]
removeDeadKeys: keys deleted from HSM: 0
Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforce_task]
No changes to signconf file required for zone example.tld
...
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get
key: key c9b713853a6757d0ac806ddc6384968c not found
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm]
hsm_get_dnskey(): Got NULL key
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get
key: hsm failed to create dnskey
Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [zone] unable to
prepare signing keys for zone example.tld: error getting dnskey
Apr 15 11:10:46 <local0.crit> ods-signerd[52488]: [worker[1]]
CRITICAL: failed to sign zone example.tld: General error
Apr 15 11:10:46 <local0.notice> ods-signerd[52488]: back-off task
[sign] for zone example.tld with 60 seconds
I didn't change anything, but immediately after a restart of the jail
those messages started.
All my keys shown by 'ods-enforcer key list --verbose' can be found in
the SoftHSM2 database 'ods-hsmutil list', and all those keys (e.g.
c9b713853a6757d0ac806ddc6384968c) not. That explains the complaints
e.g. 'key c9b713853a6757d0ac806ddc6384968c not found'.
You mention key c9b713853a6757d0ac806ddc6384968c is:
- not mentioned in ods-enforcer key list --verbose
- not mentioned in ods-hsmutil list
Corrrect?
Can you look in files /usr/local/var/opendnssec/signconf/*
whether it is mentioned there, and if so, can provide a piece
of that XML? I suspect it is mentioned without <Publish/> mentioned
in it's <Key> section.
Did you purge old keys yourself with an ods-enforcer key purge
command, or do you have a <Purge> mentioned in your
/usr/local/etc/opendnsec/conf.xml
configuration. By change is it set to 0, or a quite low value?
I suspect this is an old key that was removed and with a restart there
are still
old signatures of this key around. A ods-signer clear <zone> will
repair the issue,
but I'd like to harden the signer to not care about too agressive key
purging.
But why does the signer looks for keys not available in the hsm
database?
Probably because there are still signatures with this key.
Any ideas regarding this and how to debug this issue
See above ;-)
\Berry
Thanks in advance and with kind regards,
Michael
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
