[Opendnssec-user] adding a zone, key processing fails
Tom Hendrikx
tom at whyscream.net
Thu Dec 16 08:48:06 UTC 2010
On 15/12/10 20:39, Sebastian Castro wrote:
> Tom Hendrikx wrote:
>> On 13/12/10 12:57, Sion Lloyd wrote:
>>
>> I wanted to migrate a signed zone to this new setup, and imported the
>> keys that were already in use. The old keys had alg 7
>> (RSASHA1-NSEC3-SHA1), but the policy to which I added the zone had alg 8
>> (RSASHA256). After I noticed this error (upon signing), I removed the
>> zone from ODS, and the keys from the HSM. I'm not really sure how I
>> exactly did that (the logging has no useful data on that), but it seems
>> that the keypair entries were not removed from kasp.db. This might just
>> be a genuine case of PEBKAC :/
>>
>> Only conclusion would be that it would be nice if more logging of
>> "ods-ksmutil zone *" commands would be available, at least for commands
>> that change data. Currently 'zone add/delete' do not log anything. Same
>> goes for ods-hsmutil.
>>
>
> We've been working internally with a version of ods-ksmutil that logs
> the command executed. That helps us to track certain changes. If you or
> any other opendnssec user think it's a useful feature, we could send the
> patch to the developers.
>
> cheers,
>
After more investigation I could trace back some more of my steps, but
I'd have to thank sudo for its robust logging for that. So more logging
in ksmutil would be nice, yes.
I'm also willing to test your current work, if you're ok with that.
--
Regards,
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101216/92b68523/attachment.bin>
More information about the Opendnssec-user
mailing list