On 2021-05-07 01:53, Randy Bush via Opendnssec-user wrote:
# uname -a
FreeBSD rip.psg.com 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC
amd64
# pkg info opendnssec2 | head -1
opendnssec2-2.1.8
# pkg info softhsm | head -1
softhsm-1.3.8
Dear Randy,
OpenDNSSEC 2.1.9 is out, which solves this issue I think.
The problem is that certain HSMs (amongst which SoftHSM in database
backend mode) have a funny behaviour.
\Berry
all worked until a reboot this morning
none recently changed
# ls -l `which ods-signerd`
-rwxr-xr-x 1 root wheel 385632 Mar 13 19:56
/usr/local/sbin/ods-signerd*
# ls -l `which ods-enforcerd`
-rwxr-xr-x 1 root wheel 482984 Mar 13 19:56
/usr/local/sbin/ods-enforcerd*
# ls -l `which softhsm`
-rwxr-xr-x 1 root wheel 57200 Jul 7 2019 /usr/local/bin/softhsm*
May 6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: key
c659db9ce13d7f18518cd1bbe0a2f0d8 not found
May 6 23:08:15 rip ods-signerd[705]: [hsm] hsm_get_dnskey(): Got NULL
key
May 6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: hsm
failed to create dnskey
May 6 23:08:15 rip ods-signerd[705]: [zone] unable to prepare signing
keys for zone sol.int: error getting dnskey
May 6 23:08:15 rip ods-signerd[705]: [worker[1]] CRITICAL: failed to
sign zone sol.int: General error
and same for all signed zones
but
# sqlite3 /usr/local/var/softhsm/slot0.db ".backup foo"
# ls -l foo
-rw-r--r-- 1 root wheel 316416 May 6 23:29 foo
still duckduckgoing for how to see if sqlite3 has that key,
c659db9ce13d7f18518cd1bbe0a2f0d8
but
# softhsm --show-slot
Available slots:
Slot 0
Token present: yes
Token initialized: yes
User PIN initialized: yes
Token label: opendnssec
and
# softhsm --export test --slot 0 --pin no-way --id
c659db9ce13d7f18518cd1bbe0a2f0d8
Error: Could not find the private key with ID =
c659db9ce13d7f18518cd1bbe0a2f0d8
but
# ods-enforcer key list -v -z ymbk.com
Keys:
Zone: Keytype: State: Date of next
transition: Size: Algorithm: CKA_ID:
Repository: KeyTag:
ymbk.com KSK active 2021-06-28
21:37:27 2048 8 52d55ded0e4a06b444774b9daf9ad050
SoftHSM 53482
ymbk.com ZSK active 2021-06-28
21:37:27 2048 8 a7f2aa72ecb73b40970abe2b4ffc353e
SoftHSM 52456
though i am not sure enforcer is calling softhsm or just looking in its
back pocket
so i
restarted opendnssec
played my backup script
ods-enforcer backup prepare
sqlite3 /usr/local/var/softhsm/slot0.db ".backup `date
'+%y%m%d'`.softhsm-copy.db"
ods-enforcer backup commit
tried a reboot
an hour searching the net of a million lies was no help. similar
problems with much older versions.
i once tried to upgrade to softhsm2 and had to back off after major
mess. willing to try again if i can find a recipe.
the only possible hint is from a couple of days back, port upgrade of
sqlite3
bind-tools-9.16.13 < needs updating (remote has
9.16.15)
bind916-9.16.13 < needs updating (remote has
9.16.15)
sqlite3-3.34.1_1,1 < needs updating (remote has
3.35.5,1)
clues very much appreciated
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
