[Opendnssec-user] adding a zone, key processing fails
Tom Hendrikx
tom at whyscream.net
Wed Dec 15 18:54:14 UTC 2010
On 13/12/10 12:57, Sion Lloyd wrote:
>> Inspecting kasp.db does list the keys that are unknown to the HSM, even
>> after the re-adding and removal of zone example.com, which gets these
>> keys added to it. I'll send you the kasp.db off-list, but I assume that
>> it would be possible to use regular SQL to remove the missing keys from
>> the kasp.db 'keypairs' table?
>
> Yes, that would work. It looks like the keys were never used, so the system
> thinks that they are available for any new zone that you add.
>
> I'm still unsure as to how the database got into this state, deleting the zone
> should leave the keys in the HSM. Unless you run "ods-ksmutil key purge".
>
I further investigated the logs on how this situation was created, and I
found out:
I wanted to migrate a signed zone to this new setup, and imported the
keys that were already in use. The old keys had alg 7
(RSASHA1-NSEC3-SHA1), but the policy to which I added the zone had alg 8
(RSASHA256). After I noticed this error (upon signing), I removed the
zone from ODS, and the keys from the HSM. I'm not really sure how I
exactly did that (the logging has no useful data on that), but it seems
that the keypair entries were not removed from kasp.db. This might just
be a genuine case of PEBKAC :/
Only conclusion would be that it would be nice if more logging of
"ods-ksmutil zone *" commands would be available, at least for commands
that change data. Currently 'zone add/delete' do not log anything. Same
goes for ods-hsmutil.
--
Regards,
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101215/3588c0b1/attachment.bin>
More information about the Opendnssec-user
mailing list