[Opendnssec-develop] RE: Signconf

Rick Zijlker rick.zijlker at sidn.nl
Thu May 20 14:27:50 UTC 2010

When you say that you can manually create keys, do you mean that you can run ods-ksmutil key generate?

If you have not tried that could you do so?

They were manually created with the Luna SA client. When using 'key generate' nothing would be generated.

By running 'ods-ksmutil setup' and clearing the HSM of any keys, it is running again. But I don't understand why the keys in the kasp.db weren't purged since they were not in use by any zone. It was also not corresponding to the key list listed by the HSM at that time:

[root at signer1 ~]# ods-hsmutil list luna
Listing keys in repository: luna
14 keys found.

Repository            ID                                Type
----------            --                                ----
luna                  4cbe955b68f0201299537e51ca391a9f  RSA/1024
luna                  c24a8dd3ab0f409d25c1ffce6eb7acad  RSA/2048
luna                  eb4a7c10f974cdc23edf2bf19bd7925e  RSA/2048
luna                  404baab6dc60fef4342d1680d8ba700990d55197  RSA/1024
luna                  829c9404b3b8b0f504904419691d587de9b34614  RSA/2048
luna                  3d1c8641da88ba9e14af9f647d1c69cf  RSA/1024
luna                  c04797e33c6ccc998ecf9e67d1d76a872d643172  RSA/1024
luna                  cf33fc0fd6758124bf45e375c057631fb722a555  RSA/1024
luna                  f0aa22d8c7d2e84ca9645fabec41de1d  RSA/2048
luna                  955506bafe1fbfac64454489f3189667  RSA/2048
luna                  d1b3af3e062ed1413c7785df7197228b  RSA/2048
luna                  61a39bbb3dc9287509c7955ffcd8a8d3  RSA/2048
luna                  e5bd27be08ab78c1cebe152b91aa4620  RSA/1024
luna                  5ed8fbe39e752e7760fdf4c7580e24dd  RSA/1024

Not all of these keys were present in kasp.db. Also didn't pregenerate any keys when comparing, so I would expect the old keys to be purged.

I am gonna do some more testing on this matter and let you know as soon as I have any new findings.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100520/a473f9fc/attachment.htm>

More information about the Opendnssec-develop mailing list