> freebsd 13.1 > opendnssec 2.1.10 > softhsm 1.3.8 > > things running happily for months. suddenly, i have logs full of > > Apr 9 21:22:12 rip ods-enforcerd[35513]: [hsm_key_factory_delete_key] > looking for keys to purge from HSM > Apr 9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: key > c6ab03c6ecd8ca4e9d57eae9ccc79a69 not found > Apr 9 21:22:15 rip ods-signerd[35519]: [hsm] hsm_get_dnskey(): Got NULL > key > Apr 9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: hsm > failed to create dnskey > Apr 9 21:22:15 rip ods-signerd[35519]: [zone] unable to prepare signing > keys for zone 150.180.198.in-addr.arpa: error getting dnskey > Apr 9 21:22:15 rip ods-signerd[35519]: [worker[1]] CRITICAL: failed to > sign zone 150.180.198.in-addr.arpa: General error > > https://issues.opendnssec.org/browse/SUPPORT-278 does not enlighten me > much more; though maybe that's my fault.
Maybe... I just picked up the suggested patch to the signer attached to that problem report and applied it to the NetBSD package together with two other minder cosmetic issues I had lying around fixes for, ref. http://mail-index.netbsd.org/pkgsrc-changes/2023/12/05/msg288131.html If the submitter is correct, this is a concurrency issue, and serializing the calls to hsm_get_dnskey() appears to work around this issue for the submitter. Looking back at my logs, it looks like I got a spate of these messages last January / February. The problem is probably reliably reproducing this issue at will. If it is as surmised, it's possible that this problem will clear on the next re-run (or the one after that or ...) as signature generation is "spread out" scheduling-wise. Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
