Hi, I am running opendnssec 2.1.8 and softhsm2 2.6.1 in a jail on a recent FreeBSD 13-STABLE system.
Today, out of a sudden, I am getting those errors for all of my domains (e.g. example.tld): Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] running as pid 52482 Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [engine] enforcer started Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer] update zone: example.tld Apr 15 11:10:45 <local0.err> ods-enforcerd[52482]: [hsm_key_factory_delete_key] looking for keys to purge from HSM Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforcer] removeDeadKeys: keys deleted from HSM: 0 Apr 15 11:10:45 <local0.notice> ods-enforcerd[52482]: [enforce_task] No changes to signconf file required for zone example.tld ... Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get key: key c9b713853a6757d0ac806ddc6384968c not found Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] hsm_get_dnskey(): Got NULL key Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [hsm] unable to get key: hsm failed to create dnskey Apr 15 11:10:46 <local0.err> ods-signerd[52488]: [zone] unable to prepare signing keys for zone example.tld: error getting dnskey Apr 15 11:10:46 <local0.crit> ods-signerd[52488]: [worker[1]] CRITICAL: failed to sign zone example.tld: General error Apr 15 11:10:46 <local0.notice> ods-signerd[52488]: back-off task [sign] for zone example.tld with 60 seconds I didn't change anything, but immediately after a restart of the jail those messages started. All my keys shown by 'ods-enforcer key list --verbose' can be found in the SoftHSM2 database 'ods-hsmutil list', and all those keys (e.g. c9b713853a6757d0ac806ddc6384968c) not. That explains the complaints e.g. 'key c9b713853a6757d0ac806ddc6384968c not found'. But why does the signer looks for keys not available in the hsm database? Any ideas regarding this and how to debug this issue? Thanks in advance and with kind regards, Michael _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
