-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/16/2012 05:08 PM, Paul Wouters wrote: > > In a lab system we had some issues with the HSM (still pending > investigation). We saw the following in the logs: > > Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign final: > CKR_DEVICE_ERROR Jul 12 11:54:52 signer-01 ods-signerd: [hsm] sign > final: CKR_DEVICE_ERROR Jul 12 11:54:53 signer-01 ods-signerd: > [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:53 signer-01 > ods-signerd: [hsm] sign final: CKR_DEVICE_ERROR Jul 12 11:54:53 > signer-01 ods-signerd: [worker[3]] sign zone ca failed: 81 of > 1910549 signatures failed > > The zone involved is a large test zone with opt-in. It should only > require a handful of RRSIGs, not 1910549. I think the reporting of > this latter number is based on an assumption of no-opt-in.
If opt in, you should have a RRSIG for every delegation right? > > It's somewhat misleading, as I think all RRSIG generation failed, > and the message 81 out of 1910549 failed wrongly suggests some > RRSIGs were correctly generated. I guess 81 signatures could be reused and no HSM interaction was required. Best regards, Matthijs > > Paul _______________________________________________ > Opendnssec-user mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQBXIvAAoJEA8yVCPsQCW5IzAH/3G2KyxpL5lFYWv6UropNweg tZDKZxDtPbbUcGX7jjm57PkEY3iTeJgCJR7h6SYSmRhCvtVgqK0GPQDAD5pCg4AG U2ZKcXvWaSagsf2g4NtocZIngsBRI+QXFGR+8GDot1aAtsYZJ+h1tYeGt1VEMtVu sLganbrvepkXO4BK6SmxAekWR8uHbvi1q9EXFzHeqdhnVQP7QWIwEcIbOqN7VnZK YjfABz6JesTPwhl0u+7BprNhARhMYZbrpPpja6fbELPTCrV0ZuEOHTKEZW6hGUjg TXyfZhKdQjVgtNZsLOK93usKwVj693GCtfbR2RqEfKtUju5hUMZpNJ19ua+pZKk= =aSaK -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
