[Opendnssec-develop] [OpenDNSSEC] #73: Keytag checked overzealously?

OpenDNSSEC owner-dnssec-trac at kirei.se
Wed Jan 20 10:21:41 CET 2010

#73: Keytag checked overzealously?
Reporter:  rick@…                |       Owner:  sion    
    Type:  enhancement           |      Status:  new     
Priority:  trivial               |   Component:  Enforcer
 Version:                        |    Keywords:          
 I did something awful -- I deleted a public key in the HSM by going  under
 OpenDNSSEC.  So what follows is certainly not a showstopper for 1.0, but
 it did seem unpractical how OpenDNSSEC responded.  Platform was RC2.

 ksmutil lists the half key as "NOT IN repository", which is a very clear
 indicator of the exceptional situation.  But when I try to roll it (using
 the CKA_ID, lacking the keytag) I get a complaint from ksk-roll that I
 don't quite understand to be a necessary hurdle to recover from a missing
 key.  After ksmutil key rollover I did/got:

 [root at apollo ~]# ksmutil key ksk-roll --zone openfortress.nl --cka_id
 *WARNING* This will retire the currently active KSK; are you sure? [y/N] y
 SQLite database set to: /var/opendnssec/kasp.db
 Error: keytag "(null)"; should be numeric only

 It turns out that I am stuck with a key that doesn't want to work anymore
 -- and I don't think this is desirable behaviour, if it can be avoided.
 Should the keytag-is-null perhaps be tuned down to a warning to improve
 the practical usefulness of OpenDNSSEC?

 This is not just sillyness -- storage space in an HSM is expensive, so I
 am seeing if I can avoid using it for public keys.  I will also try if I
 can store the public key on a cheaper medium.

Ticket URL: <http://trac.opendnssec.org/ticket/73>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list