Thanks Berry. Can you tell us when the 1.4 version with the fix is likely to be released?
Kind regards, Anne (A.) van Bemmelen SIDN | Meander 501 | 6825 MD | PO Box 5022 | 6802 EA | ARNHEM | The Netherlands T +31 (0)26 352 55 00 | M +31 (0)6 150 633 96 [email protected] | www.sidn.nl | Key-ID: 0xB8A5F0B2 -----Original Message----- From: Opendnssec-user [mailto:[email protected]] On Behalf Of Berry A.W. van Halderen Sent: donderdag 7 april 2016 9:33 To: [email protected] Subject: Re: [Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover On 04/07/2016 08:47 AM, Anne van Bemmelen wrote: > Dear listmembers, > > During a regular enforcerd wake up a new ZSK was created, according to > the regular scheme. > > Immediately after this wake up the critical issue > 'CKR_OBJECT_HANDLE_INVALID' was logged, see below this message. > > Signing the involved zone wasn't possible. > > Signing of other zones was not impacted. > We have seen this issue in 1.4 and 2.0, and are on the track of solving this issue in those versions. I am however surprised that this issue also occurs on your Luna HSM. The cases we have seen it is where a key is created in the enforcer, but is not yet available to the signer. Your conclusion might be the HSM is slow to make it available, but I won't go this far as also the signer does not properly handle this. I am not too familiar with the 1.3 branch, whether this is truely the same issue. With kind regards, Berry van Halderen > > Workaround: restart ODS. > > > > But this is the third time this happened, and although for a different > zone in exactly the same circumstances. > > > > The first and second time we used this configuration: > > - RedHat 5 > > - ODS v1.3.5 > > - HSM Luna SA4 > > > > This third time we used the new configuration: > > - Ubuntu 14.04 > > - ODS v1.4.7 > > - HSM Luna SA6 > > > > Questions: > > - did anyone notice this before > > - what can be the cause of this error > > - what can I do to fix this > > > > Some relevant logging: > > Apr 5 20:49:11 myhost ods-enforcerd: Created key in repository . > > Apr 5 20:49:11 myhost ods-enforcerd: Created ZSK size: 1024, alg: 8 > with id******** in repository: . and database. > > [.] > > Apr 5 20:49:12 myhost ods-enforcerd: Sleeping for 3600 seconds. > > Apr 5 20:49:12 myhost ods-signerd: [hsm] C_GetAttributeValue: > CKR_OBJECT_HANDLE_INVALID > > Apr 5 20:49:12 myhost ods-signerd: [hsm] unable to get key: hsm failed > to create dnskey > > Apr 5 20:49:12 myhost ods-signerd: [zone] unable to publish dnskeys for > zone myzone: error creating dnskey > > Apr 5 20:49:12 myhost ods-signerd: [tools] unable to read zone myzone: > failed to publish dnskeys (General error) > > Apr 5 20:49:13 myhost ods-signerd: [worker[3]] CRITICAL: failed to sign > zone myzone: General error > > > > > > Kind regards, > > Anne (A.) van Bemmmelen > > > > cid:[email protected] > > > > SIDN | Meander 501 | 6825 MD | PO Box 5022 | 6802 EA | ARNHEM | The > Netherlands > > T +31 (0)26 352 55 00 | M +31 (0)6 150 633 96 > > [email protected] <mailto:[email protected]>| www.sidn.nl > <http://www.sidn.nl/>| Key-ID: 0xB8A5F0B2 > > > > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
