[Opendnssec-user] Signer Engine?

B C brettlists at gmail.com
Fri Aug 21 12:02:23 UTC 2009


I can confirm that if I start the signer engine with -d it seems to
run fine, I can then connect to it using the cli and then sign and
clear my zone.

Another issue I seem to have though, if I do:

 /opt/opendnssec/bin/hsmutil list

I get the output

Listing keys in all repositories.
4 keys found.

Repository            ID                                Type
----------            --                                ----
softHSM               c0064c2a42844fdb04574edfb56040bc  RSA/1024
softHSM               9390ac52de287fa9f35239c04933192e  RSA/1024
softHSM               d000af9031cbca0caeec04df9b947936  RSA/2048
softHSM               1cfeaa7c1a02774b62fb640bfb0b5dbf  RSA/2048

So I guess the 2*2048 bit keys are my KSK

However if I try and extract my KSK DNSKEY for publication with:

hsmutil dnskey d000af9031cbca0caeec04df9b947936 pwei.net

I get a ZSK, and in fact running hsmutil against any of the above ID's
results in a ZSK, (Note I can confirm that my zone does have some
KSK's with the 257 flag in it)

pwei.net.       3600    IN      DNSKEY  256 3 5
AwEAAbf673bS3J6mhP/eGhX4Lal6NevhkwkoI1JvDShCSz+SjqBkcDmZcvfUeyPTxapvRYoqKozPDWFm0wYdPnbymhzBuXyNSY1U0up5fyGmMMrw5bYlroZBMr4UJQCBKceeN9m3lNXNu0zZBuzGvCDbw+BXLnunk+QatJfriXyE5gN88n3Vo3XgvMIbCR4SBXcZ4qRwUsT5F2vE94bbnAgUrLMTiN76LU/A/P4q/YyagOGWHGMiOIxZZYktynbETBlpjX8KMb++ibwY0HUaCbJ2/XrNO8CPF6oLiev/TWrIFkxc2v0mWBff3MPNBAiIS4JAPKZqps8KpA8ve6Zvabq3gqM=
;{id = 508 (zsk), size = 2048b}



2009/8/20 Rickard Bondesson <rickard.bondesson at iis.se>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> Hi,
>>
>> I'm experiencing exactly the same error on our test server
>> running RHEL5. The signer engine starts only if I give option "-d".
>>
>> Antti
>
> Matthijs, could you have a look at this?
>
> // Rickard
> -----BEGIN PGP SIGNATURE-----
> Version: 9.8.3 (Build 4028)
> Charset: utf-8
>
> wsBVAwUBSo1a4eCjgaNTdVjaAQgpsgf9GXMZPPXInLiPp8MKZgLu56SVDyOex6dZ
> f/yvjWPp2y0p3XEXw95DmJFZa6jKQC4jJhSQOEbQfLZs2OVHSg5tMGEuresYUFrL
> UwuRsKLGY8cohBn9zMDXeT+hkrf6RxAZs7yMrWqYNsAE4r0dAWxn52y0XuDoETMz
> /a5VPu90ktb546w2vRJY8J9Qb3D+7U/e40GWwM2kewlD2PAYdTNQA4cwbc/cbHIM
> r+yRx/xBo4qma8Hfu9qaunyzwGj6EVsIndFyur25SiSPhI2fqRR+KaZBR7QoacfG
> Y5Cy4IX07DzuGnsXyBWYagu3dEsyj+X/MauAZne9BEskSKOSG8NZMA==
> =Z6kb
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>



More information about the Opendnssec-user mailing list