On 01/19/2017 09:03 AM, Michael Grimm wrote:
Generating 512-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
Generating 768-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
Generating 1024-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
Generating 512-bit GOST key... Failed
generate key pair: CKR_MECHANISM_INVALID
Segmentation fault (core dumped)
Hmmm!? What does that mean? I guess I should be worried.
Without seeing a trace, my 1st *guess* would be that the linked Botan or
OpenSSL (DID softhsm1 even support OpenSSL?) crypto backend doesn't have
DSA enabled, or is somehow busted.
Just curious -- where are you getting your Softhsm/ODS installs?
DIY?
Distro pkgs?
What to do next:
#) would such a database be possible to migrate to softhsm2? Either by the
migration script or manually (export, import)?
#) should I try to trigger a manual ZSK rollover for the erratic domain?
#) anything else?
#) I am already thinking about a worst case scenario: Restarting from scratch
(only 9 domains involved). I have read that it should be possible to run two
opendnssec versions in parallel. Can you confirm this?
Just my $0.02 ... and, I'm certainly not one of the devs.
I'd had zero luck getting softhsm1x and ods1x working on my system; if
it wasn't one thing it was another.
Yes, I know, others obviously have it working.
I moved, instead to building from src
ldns 1.7.x
softhsm 2.3.x, backed by openssl 1.0.2j
ods 2.1.x
and run under systemd.
Since, I've have had a much more reliable system.
IIUC from a previous post, ods 2.1 is targeted for _release_ end of Jan.
Apart from the fact that it all works (so far) it's also, inevitably,
where new development will be.
YMMV.
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
