In a lab system we had some issues with the HSM (still pending investigation). We saw the following in the logs:
Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:53 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:53 signer-01 ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:53 signer-01 ods-signerd: [worker[3]] sign zone ca failed: 81 of 1910549 signatures failed The zone involved is a large test zone with opt-in. It should only require a handful of RRSIGs, not 1910549. I think the reporting of this latter number is based on an assumption of no-opt-in. It's somewhat misleading, as I think all RRSIG generation failed, and the message 81 out of 1910549 failed wrongly suggests some RRSIGs were correctly generated. Paul _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
