Hi — @Berry: you asked for ... dns> ls -al /usr/local/lib/softhsm/libsofthsm.so -rwxr-xr-x 1 root wheel 149136 Jan 13 22:03 /usr/local/lib/softhsm/libsofthsm.so
Yuri Schaeffer <[email protected]> wrote: >> I don't mean that, perhaps the policy has been changed such that now >> an algorithm or key length is being requested that isn't supported? > > Ah. I wondered why you asked. :) > > Yes, exactly that, an unsupported algorithm or keylength or a bad > combination of the two might spurr similar errors on 1.4. I think. Hmm. I came about "ods-hsmutil test" and tried it on a copy of dns> ods-hsmutil info Repository: SoftHSM Module: /usr/local/lib/softhsm/libsofthsm.so Slot: 0 Token Label: OpenDNSSEC Manufacturer: SoftHSM Model: SoftHSM Serial: 1 dns|root> ods-hsmutil -v test SoftHSM Testing repository: SoftHSM Generating 512-bit RSA key... OK Extracting key identifier... OK, 0c912e61825b94cd1508dc2759990d81 Signing (RSA/SHA1) with key... OK Signing (RSA/SHA256) with key... OK Deleting key... OK Generating 768-bit RSA key... OK Extracting key identifier... OK, deec6a16dab536014f97e9d7fb2425d2 Signing (RSA/SHA1) with key... OK Signing (RSA/SHA256) with key... OK Deleting key... OK Generating 1024-bit RSA key... OK Extracting key identifier... OK, 4c811b6400962ac1d2315c6f04e9b9b6 Signing (RSA/SHA1) with key... OK Signing (RSA/SHA256) with key... OK Signing (RSA/SHA512) with key... OK Deleting key... OK Generating 1536-bit RSA key... OK Extracting key identifier... OK, 1c9d249bf36560a2a98d3adf35107344 Signing (RSA/SHA1) with key... OK Signing (RSA/SHA256) with key... OK Signing (RSA/SHA512) with key... OK Deleting key... OK Generating 2048-bit RSA key... OK Extracting key identifier... OK, 7752b3962e79f9bdc7c51639d8645715 Signing (RSA/SHA1) with key... OK Signing (RSA/SHA256) with key... OK Signing (RSA/SHA512) with key... OK Deleting key... OK Generating 4096-bit RSA key... OK Extracting key identifier... OK, 264f708cb68c8618100f0e5503da6d42 Signing (RSA/SHA1) with key... OK Signing (RSA/SHA256) with key... OK Signing (RSA/SHA512) with key... OK Deleting key... OK Generating 512-bit DSA key... Failed generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED Generating 768-bit DSA key... Failed generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED Generating 1024-bit DSA key... Failed generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED Generating 512-bit GOST key... Failed generate key pair: CKR_MECHANISM_INVALID Segmentation fault (core dumped) Hmmm!? What does that mean? I guess I should be worried. What to do next: #) would such a database be possible to migrate to softhsm2? Either by the migration script or manually (export, import)? #) should I try to trigger a manual ZSK rollover for the erratic domain? #) anything else? #) I am already thinking about a worst case scenario: Restarting from scratch (only 9 domains involved). I have read that it should be possible to run two opendnssec versions in parallel. Can you confirm this? Thank you very much that you are still trying to help me, Michael _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
