-
Type:
Support
-
Status: In Progress
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: OpenDNSSEC 1.0.0, OpenDNSSEC 1.1.0, OpenDNSSEC 1.1.1, OpenDNSSEC 1.1.2, OpenDNSSEC 1.1.3, OpenDNSSEC 1.2.0, OpenDNSSEC 1.2.1, OpenDNSSEC 1.2.2, OpenDNSSEC 1.3.0, OpenDNSSEC 1.3.1, OpenDNSSEC 1.3.2, OpenDNSSEC 1.3.3, OpenDNSSEC 1.3.4, OpenDNSSEC 1.3.5, OpenDNSSEC 1.3.6, OpenDNSSEC 1.3.7, OpenDNSSEC 1.3.8, OpenDNSSEC 1.4.0a1, OpenDNSSEC 1.4.0a2, OpenDNSSEC 1.3.9, OpenDNSSEC 1.3.10, OpenDNSSEC 1.4.0a3, OpenDNSSEC 1.4.0b1, OpenDNSSEC 1.3.11, OpenDNSSEC 1.3.12, OpenDNSSEC 1.3.13, OpenDNSSEC 1.3.14, OpenDNSSEC 1.4.0b2, OpenDNSSEC 1.4.0rc1, OpenDNSSEC 1.4.0rc2, OpenDNSSEC 1.4.0b3, OpenDNSSEC 1.4.0rc3, OpenDNSSEC 1.4.0, OpenDNSSEC 1.4.1, OpenDNSSEC 1.4.2, OpenDNSSEC 1.3.15, OpenDNSSEC 1.3.16, OpenDNSSEC 1.4.3, OpenDNSSEC 2.0
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
At least since revision 2008 (latest modification of the problematic source code lines) and up to the trunk version, Enforcer is suicidal (exit(1)) in case hsm_pkcs11_check_error() call performed in hsm_generate_rsa_key() returns a true value (PKCS11 error).
This means that if any "repository" encounters any error during the key generation procedure, Enforcer suicides, thus terminating all key management, including of the other perfectly sane repositories.
I encountered this problem when my HSM, only used for my KSKs, became unreachable. Enforcer suicided itself at this moment, preventing further key management, including generation and key rollover of my ZSKs, which are stored on SoftHSM.
I believe appropriate behaviour should be to gracefully handle the error, by logging a critical error message and trying to "reset" connections to this erroneous repository.
In any case, key management for other repositories should be resumed.
- is cloned by
-
OPENDNSSEC-516 CLONE - Enforcer suicide on HSM error (hsm_generate_rsa_key)
-
- Open
-