On 08/29/2014 04:11 PM, Paul Wouters wrote: > On Mon, 18 Aug 2014, Paul Wouters wrote: > >> On Fri, 15 Aug 2014, Roland van Rijswijk - Deij wrote: >> >>> I'd like to create an issue for this in our issue tracking system, >>> however, I have some questions: >>> >>> - Did OpenDNSSEC work correctly after you upgrade from SoftHSM v1 to v2 >>> right up until the point that you tried to create an additional slot? >> >> yes, although getting the right permissions between softhsm/ods/nsd and >> rpm upgrades is very tricky (and a work in progress) >> >>> - Could you retry upgrading in this case and testing if OpenDNSSEC works >>> correctly with the new SoftHSM v2 token and if it does let us know? >> >> Yes that seems to work, > > I take this back :( > > Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV > in encrypted data > Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR > Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm > Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[28]: > lhsm_sign() failed > Aug 24 03:07:05 ns0 ods-signerd: SecureDataManager.cpp(359): Invalid IV > in encrypted data > Aug 24 03:07:05 ns0 ods-signerd: [hsm] sign init: CKR_GENERAL_ERROR > Aug 24 03:07:05 ns0 ods-signerd: [hsm] error signing rrset with libhsm > Aug 24 03:07:05 ns0 ods-signerd: [rrset] unable to sign RRset[6]: > lhsm_sign() failed > > It hasn't signed for a number of days, and I noticed by the first > records that had expired RRSIGs :( > > Looking back through the logs, it broke instantly, but I misread the > messages in the log: > > Aug 18 14:32:05 ns0 ods-signerd: [signconf] zone libreswan.ca signconf: > RESIGN[PT7200S] REFRESH[PT604800S] VALIDITY[PT1209600S] > DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] > DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter] > > Those didn't actually mean "signed" but "going to sign".
To be precise, that line just informs you of the new signer configuration. Best regards, Matthijs > > Paul > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
