ODS 2.1.9 SoftHSM 2.6.1, MySQL backend.
Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] removeDeadKeys deleting key: 1b3a7b2082eb554cea378955dbe4af6a Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [hsm_key_factory_delete_key] looking for keys to purge from HSM Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [hsm_key_factory_get_key] removing key 1b3a7b2082eb554cea378955dbe4af6a from HSM Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] removeDeadKeys: keys deleted from HSM: 1 Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] update: key_data_update() failed Seeing this regularly - for different keys. But only once per key. On Wed, May 26, 2021 at 5:23 PM Berry van Halderen via Opendnssec-user < opendnssec-user@lists.opendnssec.org> wrote: > On 2021-05-26 17:15, Roman Serbski via Opendnssec-user wrote: > > On Fri, May 7, 2021 at 5:14 PM Randy Bush via Opendnssec-user > > <opendnssec-user@lists.opendnssec.org> wrote: > >> > >> > OpenDNSSEC 2.1.9 is out, which solves this issue I think. > >> > >> the kindness of dr akkerhuis allowed me to install on a binary-only > >> freebsd. > >> > >> i am not positive that 2.1.9 fixed the problem; but it definintely > >> suppressed the error messages :) > > > > Hello, > > > > I'm not 100% sure it's the same issue, but I start getting the similar > > errors with OpenDNSSEC 2.1.9 under FreeBSD 12.2-RELEASE-p2 r369009. > > > > Some days ago, I removed one zone using the command: > > > > ods-enforcer zone delete --zone domain.org > > > > And yesterday I started receiving: > > Related, but not the same issue, and not really in OpenDNSSEC but with > SoftHSM. > The start/stop should have fixed it, but a ods-signer update --all > should > also have done the trick. I'm afraid this will turn out to be a > concurrency > issue that will be hard to pick up in SoftHSM. > If anyone else sees this message I would like to know because I think it > will be > very rare. > > \Berry > > > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: File.cpp(94): Could not > > open the file (No such file or directory): > > > /var/lib/softhsm/tokens//3eab29c6-3b3f-fcf9-4aed-ff695aef81b0/63f07aa8-56e9-3639-4ebd-41692cb2a208.object > > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] sign init: > > CKR_OBJECT_HANDLE_INVALID > > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] error signing > > rrset with libhsm > > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [rrset] unable to sign > > RRset[6]: lhsm_sign() failed > > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] sign zone > > domain.org failed: 1 RRsets failed > > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] CRITICAL: > > failed to sign zone domain.org: General error > > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: back-off task [sign] for > > zone domain.org with 60 seconds > > > > I also noticed errors while purging expired ZSKs for other domains, for > > example: > > > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update > > zone: domain2.org > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] > > removeDeadKeys deleting key: 37abe5998879aceefea122b69ca98751 > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: > > [hsm_key_factory_delete_key] looking for keys to purge from HSM > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: > > [hsm_key_factory_get_key] removing key > > 37abe5998879aceefea122b69ca98751 from HSM > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: > > [hsm_key_factory_get_key] removing key > > be586f8af9ec83163ffe73c66a21f319 from HSM > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: > > [hsm_key_factory_get_key] removing key > > 78586dbbaab0ebf9ddd01b0fb4cbd83f from HSM > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] > > removeDeadKeys: keys deleted from HSM: 3 > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update: > > key_data_update() failed > > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforce_task] No > > changes to signconf file required for zone domain2.org > > > > /usr/local/etc/rc.d/opendnssec stop/start seems to suppress the error. > > > > Thanks. > > _______________________________________________ > > Opendnssec-user mailing list > > Opendnssec-user@lists.opendnssec.org > > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
