[Opendnssec-develop] Unexpected behavior

Rick Zijlker rick.zijlker at sidn.nl
Tue Dec 29 13:08:35 UTC 2009


In addition to previous mail. I'm running RC2 and ODS is not using the
assigned policy to sign my zone.

It seems like it is using the repository of policy 'default' instead of
policy 'SCKR_S1T1'. 

 

I'm getting this piece of logging every hour:

Dec 29 13:06:05 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"

Dec 29 13:06:05 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"

Dec 29 13:06:05 signer2 ods-enforcerd: Communication Interval: 3600

Dec 29 13:06:05 signer2 ods-enforcerd: SQLite database set to:
/var/opendnssec/kasp.db

Dec 29 13:06:05 signer2 ods-enforcerd: Log User set to: local0

Dec 29 13:06:05 signer2 ods-enforcerd: Switched log facility to: local0

Dec 29 13:06:05 signer2 ods-enforcerd: Connecting to Database...

Dec 29 13:06:05 signer2 ods-enforcerd: Policy default found.

Dec 29 13:06:05 signer2 ods-enforcerd: Key sharing is Off.

Dec 29 13:06:05 signer2 ods-enforcerd: NOTE: keys generated in
repository luna1 will not become active until they have been backed up

Dec 29 13:06:05 signer2 ods-enforcerd: Policy SCKR_S1T1 found.

Dec 29 13:06:05 signer2 ods-enforcerd: Key sharing is On

Dec 29 13:06:05 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.

Dec 29 13:06:05 signer2 ods-enforcerd: Zone rick.nl found.

Dec 29 13:06:05 signer2 ods-enforcerd: Policy for rick.nl set to
SCKR_S1T1.

Dec 29 13:06:05 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/rick.nl.xml.

Dec 29 13:06:05 signer2 ods-enforcerd: INFO: Promoting KSK from publish
to active as this is the first pass for the zone

Dec 29 13:06:05 signer2 ods-enforcerd: ERROR: Trying to make non-backed
up KSK active when RequireBackup flag is set

Dec 29 13:06:05 signer2 ods-enforcerd: KsmRequestKeys returned: 65562

Dec 29 13:06:05 signer2 ods-enforcerd: Signconf not written for rick.nl

Dec 29 13:06:05 signer2 ods-enforcerd: Disconnecting from Database...

Dec 29 13:06:05 signer2 ods-enforcerd: Sleeping for 3600 seconds.

 

Zone list looks good:

 

[root at signer2 ~]# ods-ksmutil  zone list

zonelist filename set to /etc/opendnssec/zonelist.xml.

Found Zone: rick.nl; on policy SCKR_S1T1

 

A bit more of the SCKR_S1T1 policy:

 

                <Description>Default policy exceeding speed
limits</Description>

                <Signatures>

                        <Resign>PT3M</Resign>

                        <Refresh>PT20M</Refresh>

                        <Validity>

                                <Default>PT45M</Default>

                                <Denial>PT45M</Denial>

                        </Validity>

                        <Jitter>PT10M</Jitter>

                        <InceptionOffset>PT300S</InceptionOffset>

                </Signatures>

 

Cheers,

Rick

 

 

From: opendnssec-develop-bounces at lists.opendnssec.org
[mailto:opendnssec-develop-bounces at lists.opendnssec.org] On Behalf Of
Rick Zijlker
Sent: maandag 28 december 2009 15:59
To: opendnssec-develop at lists.opendnssec.org
Subject: [Opendnssec-develop] Unexpected behavior

 

Hello,

 

While trying to sign a zone with softHSM, I am getting note's and errors
which belong to the hardware HSM. Even though the hardware HSM isn't
being used at all.

 

These are the repositories (conf.xml):

 

        <RepositoryList>

 

                <Repository name="softHSM">

                        <Module>/usr/local/lib/libsofthsm.so</Module>

                        <TokenLabel>test</TokenLabel>

                        <PIN>1111</PIN>

                </Repository>

 

                <Repository name="luna1">

                        <Module>/usr/lib/libCryptoki2_64.so</Module>

                        <TokenLabel>signer1-ksk</TokenLabel>

                        <PIN>PR46-dH7b-9TSX-9pTX</PIN>

                        <Capacity>1000</Capacity>

                        <RequireBackup/>

                </Repository>

 

        </RepositoryList>

 

Part of the Policy which I attached to the zone I am signing (kasp.xml):

 

                        <KSK>

                                <Algorithm length="2048">7</Algorithm>

                                <Lifetime>PT5H</Lifetime>

                                <Repository>softHSM</Repository>

                                <Standby>1</Standby>

                                <!-- <ManualRollover/> -->

                        </KSK>

 

                        <ZSK>

                                <Algorithm length="1024">7</Algorithm>

                                <Lifetime>PT2H</Lifetime>

                                <Repository>softHSM</Repository>

                                <Standby>1</Standby>

                        </ZSK>

 

It looks like ODS is trying to use softHSM as repository since he is
creating new keys in softHSM, but the ERROR, NOTE messages are referring
to the luna1 (Error creating key in repository luna1) which isn't being
used at all.

I only have 1 zone in the zonelist and updated the KASP before starting
the deamons. Also, I have signed nl before with the default policy and
it was no problem. Now that I removed nl from the zonelist, it seems ODS
tries to create 1000 KSK's for no obvious reason.

 

Also the logging tells me (15:06:01 NOTE: keys generated in repository
SoftHSM..) to backup the keys, but SoftHSM hasn't got <RequireBackup/>
added.

 

Dec 28 15:05:59 signer2 ods-signerd: Error updating zone configuration
for: rick.nl

Dec 28 15:05:59 signer2 ods-signerd: [Errno 2] No such file or
directory: u'/var/opendnssec/signconf/rick.nl.xml'

Dec 28 15:05:59 signer2 ods-signerd: opening socket:
/var/run/opendnssec/engine.sock

Dec 28 15:05:59 signer2 ods-signerd: Engine running

Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer starting...

Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer Parent
exiting...

Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer forked OK...

Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer started
(version 1.0.0rc2), pid 1394

Dec 28 15:05:59 signer2 ods-enforcerd: SSL cipher list set to AES256-SHA

Dec 28 15:05:59 signer2 ods-enforcerd: HSM opened successfully.

Dec 28 15:05:59 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"

Dec 28 15:05:59 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"

Dec 28 15:05:59 signer2 ods-enforcerd: Communication Interval: 3600

Dec 28 15:05:59 signer2 ods-enforcerd: SQLite database set to:
/var/opendnssec/kasp.db

Dec 28 15:05:59 signer2 ods-enforcerd: Log User set to: local0

Dec 28 15:05:59 signer2 ods-enforcerd: Switched log facility to: local0

Dec 28 15:05:59 signer2 ods-enforcerd: Connecting to Database...

Dec 28 15:05:59 signer2 ods-enforcerd: Policy default found.

Dec 28 15:05:59 signer2 ods-enforcerd: Key sharing is Off.

Dec 28 15:05:59 signer2 ods-enforcerd: NOTE: keys generated in
repository luna1 will not become active until they have been backed up

Dec 28 15:05:59 signer2 ods-enforcerd: Policy SCKR_S1T1 found.

Dec 28 15:05:59 signer2 ods-enforcerd: Key sharing is On

Dec 28 15:06:00 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key
pair generated

Dec 28 15:06:00 signer2 ods-enforcerd: Created KSK size: 2048, alg: 7
with id: d4b41a1c08cd125868d071d41f7eb11a in repository: softHSM and
database.

Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key
pair generated

Dec 28 15:06:01 signer2 ods-enforcerd: Created KSK size: 2048, alg: 7
with id: 80c10f316ea259642f7714aceeece25a in repository: softHSM and
database.

Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key
pair generated

Dec 28 15:06:01 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7
with id: 578b649144cc6dbd59c1a2d73477e7a7 in repository: softHSM and
database.

Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key
pair generated

Dec 28 15:06:01 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7
with id: 7b831287fe74cc5d12277873fca0fa93 in repository: softHSM and
database.

Dec 28 15:06:01 signer2 ods-enforcerd: NOTE: keys generated in
repository softHSM will not become active until they have been backed up

Dec 28 15:06:01 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.

Dec 28 15:06:01 signer2 ods-enforcerd: Zone rick.nl found.

Dec 28 15:06:01 signer2 ods-enforcerd: Policy for rick.nl set to
SCKR_S1T1.

Dec 28 15:06:01 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/rick.nl.xml.

Dec 28 15:06:01 signer2 ods-enforcerd: INFO: Promoting KSK from publish
to active as this is the first pass for the zone

Dec 28 15:06:01 signer2 ods-enforcerd: ERROR: Trying to make non-backed
up KSK active when RequireBackup flag is set

Dec 28 15:06:01 signer2 ods-enforcerd: KsmRequestKeys returned: 65562

Dec 28 15:06:01 signer2 ods-enforcerd: Signconf not written for rick.nl

Dec 28 15:06:01 signer2 ods-enforcerd: Disconnecting from Database...

Dec 28 15:06:01 signer2 ods-enforcerd: Sleeping for 3600 seconds.

Dec 28 15:37:18 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"

Dec 28 15:37:18 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"

Dec 28 15:37:18 signer2 ods-enforcerd: Communication Interval: 3600

Dec 28 15:37:18 signer2 ods-enforcerd: SQLite database set to:
/var/opendnssec/kasp.db

Dec 28 15:37:18 signer2 ods-enforcerd: Log User set to: local0

Dec 28 15:37:18 signer2 ods-enforcerd: Switched log facility to: local0

Dec 28 15:37:18 signer2 ods-enforcerd: Connecting to Database...

Dec 28 15:37:18 signer2 ods-enforcerd: Policy default found.

Dec 28 15:37:18 signer2 ods-enforcerd: Key sharing is Off.

Dec 28 15:37:18 signer2 ods-enforcerd: Repository luna1 is nearly full,
will create 1000 KSKs for policy default (reduced from -2)

Dec 28 15:37:18 signer2 ods-enforcerd: Error creating key in repository
luna1

Dec 28 15:37:18 signer2 ods-enforcerd: Find objects init:
CKR_DEVICE_ERROR

Dec 28 15:37:27 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"

Dec 28 15:37:27 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"

Dec 28 15:37:27 signer2 ods-enforcerd: Communication Interval: 3600

Dec 28 15:37:27 signer2 ods-enforcerd: SQLite database set to:
/var/opendnssec/kasp.db

Dec 28 15:37:27 signer2 ods-enforcerd: Log User set to: local0

Dec 28 15:37:27 signer2 ods-enforcerd: Switched log facility to: local0

Dec 28 15:37:27 signer2 ods-enforcerd: Connecting to Database...

Dec 28 15:37:27 signer2 ods-enforcerd: Policy default found.

Dec 28 15:37:27 signer2 ods-enforcerd: Key sharing is Off.

Dec 28 15:37:27 signer2 ods-enforcerd: Repository luna1 is nearly full,
will create 1000 KSKs for policy default (reduced from -2)

Dec 28 15:37:27 signer2 ods-enforcerd: Error creating key in repository
luna1

Dec 28 15:37:27 signer2 ods-enforcerd: Find objects init:
CKR_DEVICE_ERROR

 

Can anyone (if there is even anyone not having holiday) enlighten me?

 

Cheers,

Rick

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091229/f5bdd368/attachment.htm>


More information about the Opendnssec-develop mailing list