[Opendnssec-develop] RE: Signconf
Rick Zijlker
rick.zijlker at sidn.nl
Thu May 20 10:00:19 UTC 2010
Hey all,
ODS (enforcer) is not generating any new keys where I expect it to do. The situation:
I installed RC3 and signed some zones with it. Afterwards stopped the engines and I deleted the content of the following directories:
/var/opendnssec/tmp
/var/opendnssec/signconf
/var/opendnssec/signed
Then ran the following commands:
Ods-ksmutil zone delete -all
Ods-ksmutil update all
Ods-ksmutil zone add -z nl
Ods-ksmutil update all
Zonelist.xml shows only nl with proper paths. "Ods-ksmutil key list" -v shows no keys.
This is the way I always start a new test and it always worked out. The only difference is that since RC3 I'm using the Luna SA instead of SoftHSM. The Luna contains 14 keypairs, shown in both ods-hsmutil and the Luna client software.
But now it seems ODS (enforcer) is unable to generate keys. There is still no signconf generated for nl. This has been logged exactly like this for about 16 hours now:
May 20 11:00:02 signer1 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml"
May 20 11:00:02 signer1 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng"
May 20 11:00:02 signer1 ods-enforcerd: Communication Interval: 3600
May 20 11:00:02 signer1 ods-enforcerd: No DS Submit command supplied
May 20 11:00:02 signer1 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db
May 20 11:00:02 signer1 ods-enforcerd: Log User set to: local0
May 20 11:00:02 signer1 ods-enforcerd: Switched log facility to: local0
May 20 11:00:02 signer1 ods-enforcerd: Connecting to Database...
May 20 11:00:02 signer1 ods-enforcerd: Policy default found.
May 20 11:00:02 signer1 ods-enforcerd: Key sharing is Off.
May 20 11:00:02 signer1 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml.
May 20 11:00:02 signer1 ods-enforcerd: Zone nl found.
May 20 11:00:02 signer1 ods-enforcerd: Policy for nl set to default.
May 20 11:00:02 signer1 ods-enforcerd: Config will be output to /var/opendnssec/signconf/nl.xml.
May 20 11:00:02 signer1 ods-enforcerd: Not enough keys to satisfy ksk policy for zone: nl
May 20 11:00:02 signer1 ods-enforcerd: ods-enforcerd will create some more keys on its next run
May 20 11:00:02 signer1 ods-enforcerd: Error allocating ksks to zone nl
May 20 11:00:02 signer1 ods-enforcerd: Disconnecting from Database...
May 20 11:00:02 signer1 ods-enforcerd: Sleeping for 3600 seconds.
Generating keys in the Luna SA manually works out fine. So it's not full. I couldn't even imagine since there is only 14 keypairs in there right now.
I checked the kasp.db and there are traces of the old keys (previous signings) there. Should I try a ods-ksmutil setup? Even though if that works.. in my opinion ODS should be able to continue signing even with some traces of old keys.
sqlite> select * from keypairs;
2|f0aa22d8c7d2e84ca9645fabec41de1d|7|2048|1|10|2010-05-17 16:16:35|2010-05-17 22:28:08|2010-05-17 22:28:08|2010-05-18 12:28:08|||1|||2010-05-17 16:19:15|0
6|955506bafe1fbfac64454489f3189667|7|2048|1|10|2010-05-17 16:26:24|2010-05-17 22:28:09|2010-05-17 22:28:09|2010-05-18 12:28:09|||1|||2010-05-17 16:28:00|0
9|d1b3af3e062ed1413c7785df7197228b|7|2048|1|7|2010-05-17 23:28:09|2010-05-17 23:28:10|||||1||||0
10|61a39bbb3dc9287509c7955ffcd8a8d3|7|2048|1|7|2010-05-17 23:28:09|2010-05-17 23:28:10|||||1||||0
11|e5bd27be08ab78c1cebe152b91aa4620|7|1024|1|1|2010-05-18 10:49:37||||||1||||0
12|5ed8fbe39e752e7760fdf4c7580e24dd|7|1024|1|1|2010-05-18 10:49:37||||||1||||0
Keys part of the policy if it might be of any interest:
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT1H</TTL>
<RetireSafety>PT1H</RetireSafety>
<PublishSafety>PT1H</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P1D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">7</Algorithm>
<Lifetime>PT24H</Lifetime>
<Repository>luna</Repository>
<Standby>1</Standby>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">7</Algorithm>
<Lifetime>PT8H</Lifetime>
<Repository>luna</Repository>
<Standby>1</Standby>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
Who can help me out or confirm this is an issue?
Cheers,
Rick
From: Sion Lloyd [mailto:sion at nominet.org.uk]
Sent: Tuesday, May 18, 2010 2:10 PM
To: Rick Zijlker; Opendnssec-develop at lists.opendnssec.org
Subject: RE: Signconf
The signconfs are generated by the enforcer.
The enforcer runs on a scheduled basis as configured in the conf.xml <Enforcer><Interval> tag.This is actually how long the enforcer will sleep for between runs.
If you want the enforcer to wake up out-of-sequence then send it a SIGHUP.
Sion
________________________________
From: opendnssec-develop-bounces at lists.opendnssec.org [opendnssec-develop-bounces at lists.opendnssec.org] on behalf of Rick Zijlker [rick.zijlker at sidn.nl]
Sent: 18 May 2010 12:28
To: Opendnssec-develop at lists.opendnssec.org
Subject: [Opendnssec-develop] Signconf
Hey,
Can anyone explain to me when and by whom the signconf of a zone is created? I'm am often running into situations where ODS is waiting/searching for a signconf and often I need to restart or just wait and suddenly it's there. I would like to know in more detail what happens.
Thanks,
Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100520/9c3a3bb3/attachment.htm>
More information about the Opendnssec-develop
mailing list