On Mon, 18 Aug 2014, Paul Wouters wrote:
On Fri, 15 Aug 2014, Roland van Rijswijk - Deij wrote:
I'd like to create an issue for this in our issue tracking system,
however, I have some questions:
- Did OpenDNSSEC work correctly after you upgrade from SoftHSM v1 to v2
right up until the point that you tried to create an additional slot?
yes, although getting the right permissions between softhsm/ods/nsd and
rpm upgrades is very tricky (and a work in progress)
- Could you retry upgrading in this case and testing if OpenDNSSEC works
correctly with the new SoftHSM v2 token and if it does let us know?
Yes that seems to work,
I take this back :(
Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV in
encrypted data
Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR
Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm
Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[28]: lhsm_sign()
failed
Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV in
encrypted data
Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR
Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm
Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[6]: lhsm_sign()
failed
It hasn't signed for a number of days, and I noticed by the first
records that had expired RRSIGs :(
Looking back through the logs, it broke instantly, but I misread the
messages in the log:
Aug 18 14:32:05 ns0 ods-signerd: [signconf] zone libreswan.ca signconf:
RESIGN[PT7200S] REFRESH[PT604800S] VALIDITY[PT1209600S]
DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50]
DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter]
Those didn't actually mean "signed" but "going to sign".
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
