On Sat, Sep 19, 2015 at 11:24:12AM +0200, Patrik Lundin wrote: > > Just a quick update: both the segfault on i386 and the lockup on macppc > has been fixed on the development branch. > > I'll send an updated port as soon as the fixes are available in a > release which may be out in the upcoming week. >
The 1.4.8.2 version of opendnssec was just released. This version incorporates the above mentioned fixes. You will find the port attached. The only issue I have seen was on sparc64 where some kind of self-check in the botan library would fail once: /var/log/messages: === Sep 26 08:25:01 ns3-old ods-enforcerd: opendnssec started (version 1.4.8), pid 28386 Sep 26 08:25:03 ns3-old ods-signerd: [hsm] libhsm connection opened succesfully Sep 26 08:25:03 ns3-old ods-signerd: [engine] signer started (version 1.4.8), pid 17887 Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Sep 26 08:26:00 ns3-old ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure that you know the potential problems of using keys which are not recoverable Sep 26 08:26:00 ns3-old ods-signerd: [signconf] zone example.com signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime] Sep 26 08:26:00 ns3-old ods-signerd: SoftHSM: C_Sign: Could not sign the data: Internal error: Assertion self_test_signature(encoded, plain_sig) failed (PK_Signer consistency check failed) in Botan::SecureVector<unsigned char> Botan::PK_Signer::signature(Botan::RandomNumberGenerator&) @./src/pubkey/pubkey.cpp:219 Sep 26 08:26:00 ns3-old ods-signerd: [hsm] sign final: CKR_GENERAL_ERROR Sep 26 08:26:00 ns3-old ods-signerd: [hsm] error signing rrset with libhsm Sep 26 08:26:00 ns3-old ods-signerd: [rrset] unable to sign RRset[50]: lhsm_sign() failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] sign zone example.com failed: 1 RRsets failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] CRITICAL: failed to sign zone example.com: General error Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] backoff task [sign] for zone example.com with 60 seconds Sep 26 08:27:00 ns3-old ods-signerd: [STATS] example.com 1443248820 RR[count=5 time=0(sec)] NSEC3[count=3 time=0(sec)] RRSIG[new=2 reused=7 time=0(sec) avg=0(sig/sec)] TOTAL[time=60(sec)] === /var/log/daemon: === Sep 26 08:26:00 ns3-old ods-signerd: [cmdhandler] received command update example.com[18] Sep 26 08:26:00 ns3-old ods-signerd: [zonelist] read file /etc/opendnssec/zonelist.xml Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] configure zone example.com Sep 26 08:26:00 ns3-old ods-enforcerd: Called signer engine: /usr/local/sbin/ods-signer update example.com Sep 26 08:26:00 ns3-old ods-enforcerd: Disconnecting from Database... Sep 26 08:26:00 ns3-old ods-enforcerd: Sleeping for 3600 seconds. Sep 26 08:26:00 ns3-old ods-signerd: [signconf] zone example.com signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime] Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] read zone example.com Sep 26 08:26:00 ns3-old ods-signerd: [adapter] read zone example.com from file input adapter /var/opendnssec/unsigned/example.com Sep 26 08:26:00 ns3-old ods-signerd: [adapter] zone example.com set soa ttl to 3600 Sep 26 08:26:00 ns3-old ods-signerd: [adapter] zone example.com set soa minimum to 3600 Sep 26 08:26:00 ns3-old ods-signerd: [adapter] zone example.com set soa serial to 1443248760 Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] sign zone example.com Sep 26 08:26:00 ns3-old ods-signerd: [hsm] sign final: CKR_GENERAL_ERROR Sep 26 08:26:00 ns3-old ods-signerd: [hsm] error signing rrset with libhsm Sep 26 08:26:00 ns3-old ods-signerd: [rrset] unable to sign RRset[50]: lhsm_sign() failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] sign zone example.com failed: 1 RRsets failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] CRITICAL: failed to sign zone example.com: General error Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] backoff task [sign] for zone example.com with 60 seconds Sep 26 08:27:00 ns3-old ods-signerd: [worker[2]] sign zone example.com Sep 26 08:27:00 ns3-old ods-signerd: [zone] zone example.com set soa serial to 1443248820 Sep 26 08:27:00 ns3-old ods-signerd: [worker[2]] write zone example.com Sep 26 08:27:00 ns3-old ods-signerd: [adapter] write zone example.com serial 1443248820 to output file adapter /var/opendnssec/signed/example.com Sep 26 08:27:00 ns3-old ods-signerd: [STATS] example.com 1443248820 RR[count=5 time=0(sec)] NSEC3[count=3 time=0(sec)] RRSIG[new=2 reused=7 time=0(sec) avg=0(sig/sec)] TOTAL[time=60(sec)] === It seems as if it first fails with signing, but then succeeds on the second try. Googling the error I found this thread: http://lists.randombit.net/pipermail/botan-devel/2011-June/001437.html This is not a problem with the opendnssec port though, and it did actually do the right thing and try signing again. I think this is finally ready to go in, please try it out :). -- Patrik Lundin
opendnssec.tgz
Description: application/tar-gz
