Hi, it seems I'm still not on friendly terms with my OpenDNSSEC installation. A couple of notes:
1) It seems that ods-signer doesn't (anymore?) do zone transfers of its own initiative, only when prodded by notify messages. Can someone please tell me how ods-signer's incoming zone transfers are supposed to be triggered? My checker script which checks that zone data is flowing from the hidden master through OpenDNSSEC in reasonable time is triggering that this is *NOT* happening for a number of zones. This may be related to the following issue, 2). 2) It seems ods-signer can get into a state where one of its threads is more or less busy-spinning consuming CPU. 3) It seems that after a while, SoftHSM refuses to cooperate, and in the log I get Dec 5 19:30:59 odshost ods-signerd: [hsm] sign RRset[6] with key 2274002621d5c9355a250f48f1919f11 tag 63201 Dec 5 19:30:59 odshost ods-signerd: [drudger[3]] report for duty Dec 5 19:30:59 odshost ods-signerd: [drudger[2]] report for duty Dec 5 19:30:59 odshost ods-signerd: [rrset] sign RRset: <afs774afrhq9u2piedkpm4boamg0o190.0.1.3.0.3.3.7.4.nrenum.net,NSEC3> Dec 5 19:30:59 odshost ods-signerd: [rrset] sign RRset: <0.0.0.1.3.0.3.3.7.4.nrenum.net,NAPTR> Dec 5 19:30:59 odshost ods-signerd: [hsm] error signing rrset with libhsm Dec 5 19:30:59 odshost ods-signerd: [rrset] sign RRset: <tqphsarldvidd67mcis0cnsp05qtcf6h.0.1.3.0.3.3.7.4.nrenum.net,NSEC3> Dec 5 19:30:59 odshost ods-signerd: [drudger[3]] report for duty Dec 5 19:30:59 odshost ods-signerd: [drudger[4]] report for duty Dec 5 19:30:59 odshost ods-signerd: [rrset] unable to sign RRset[6]: lhsm_sign() failed As an operator, these are log messages which are impossible to relate to, because the *reason* for the lhsm_sign() failure is not specified, so corrective action will by necessity need to be based on wild guesswork. In connection with this, I'm wondering if in the signer config, what an appropriate value for <WorkerThreads> (and <SignerThreads>) is when using SoftHSM. The documentation does not say how OpenDNSSEC and SoftHSM fit together here. (I started with 4, more or less "by default", bumped to 6, and I'm now reducing to 2 and considering 1 in order to try to eliminate parallelism bugs.) Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
