[Opendnssec-user] Some glitches in OpenDNSSEC

Ondřej Surý ondrej at sury.org
Fri Jul 2 10:51:32 CEST 2010


Hi,

I think I was able to find the root cause for this type failure. I was
not able to reproduce exact error, but it seems that signer is working
little different with Key database than enforcer.

See this output:

# ods-ksmutil key list -z udp53.cz --verbose
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
          Keytag:
udp53.cz                        ZSK           active    (not
scheduled)           6b26b2d96ef3b254d88c6577706902d6cc869646 SoftHSM
                         9005
udp53.cz                        ZSK           active    (not
scheduled)           dc47cfa06d5cd161da3b427fb4bd1f6f  SoftHSM
                  9005
udp53.cz                        KSK           active    (not
scheduled)           7c6bb7920b277b86f4035a42cead6966  SoftHSM
                  51381

Only three keys are seen by enforcer.

But signer fails with following errors:

Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/get_serial -f
/var/lib/opendnssec/unsigned/udp53.cz'
Jul  2 10:47:04 tanuki ods-signerd: Sorting zone: udp53.cz
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/quicksorter -o udp53.cz. -f
/var/lib/opendnssec/unsigned/udp53.cz -w
/var/lib/opendnssec/tmp/udp53.cz.sorted -m 3600 -t 3600'
Jul  2 10:47:04 tanuki ods-signerd: Done sorting
Jul  2 10:47:04 tanuki ods-signerd: Nseccing zone: udp53.cz
Jul  2 10:47:04 tanuki ods-signerd: No information yet for key
ce818684147fa84eeab2264fed275277
Jul  2 10:47:04 tanuki ods-signerd: Generating DNSKEY RR for
ce818684147fa84eeab2264fed275277
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/get_class -f
/var/lib/opendnssec/tmp/udp53.cz.sorted'
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey stderr: Unable to
find key with id ce818684147fa84eeab2264fed275277
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey status: 11
Jul  2 10:47:04 tanuki ods-signerd: equality: False
Jul  2 10:47:04 tanuki ods-signerd: Error: could not find key
ce818684147fa84eeab2264fed275277
Jul  2 10:47:04 tanuki ods-signerd: No information yet for key
dccadff4d45bcc4e4ee1ebd9e36488cb25bc899a
Jul  2 10:47:04 tanuki ods-signerd: Generating DNSKEY RR for
dccadff4d45bcc4e4ee1ebd9e36488cb25bc899a
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/get_class -f
/var/lib/opendnssec/tmp/udp53.cz.sorted'
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey status: 0
Jul  2 10:47:04 tanuki ods-signerd: equality: True
Jul  2 10:47:04 tanuki ods-signerd: Found key
dccadff4d45bcc4e4ee1ebd9e36488cb25bc899a
Jul  2 10:47:04 tanuki ods-signerd: No information yet for key
942d04ec22b27f0a237109f98f72ff34
Jul  2 10:47:04 tanuki ods-signerd: Generating DNSKEY RR for
942d04ec22b27f0a237109f98f72ff34
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/get_class -f
/var/lib/opendnssec/tmp/udp53.cz.sorted'
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey stderr: Unable to
find key with id 942d04ec22b27f0a237109f98f72ff34
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey status: 11
Jul  2 10:47:04 tanuki ods-signerd: equality: False
Jul  2 10:47:04 tanuki ods-signerd: Error: could not find key
942d04ec22b27f0a237109f98f72ff34
Jul  2 10:47:04 tanuki ods-signerd: No information yet for key
4f3d96f9fac22e7d9713a3cf0d811d90
Jul  2 10:47:04 tanuki ods-signerd: Generating DNSKEY RR for
4f3d96f9fac22e7d9713a3cf0d811d90
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/get_class -f
/var/lib/opendnssec/tmp/udp53.cz.sorted'
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey stderr: Unable to
find key with id 4f3d96f9fac22e7d9713a3cf0d811d90
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey status: 11
Jul  2 10:47:04 tanuki ods-signerd: equality: False
Jul  2 10:47:04 tanuki ods-signerd: Error: could not find key
4f3d96f9fac22e7d9713a3cf0d811d90
Jul  2 10:47:04 tanuki ods-signerd: No information yet for key
e7a7a9d2c15b74c6622eb0ff5f15c66fbd3a50eb
Jul  2 10:47:04 tanuki ods-signerd: Generating DNSKEY RR for
e7a7a9d2c15b74c6622eb0ff5f15c66fbd3a50eb
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/get_class -f
/var/lib/opendnssec/tmp/udp53.cz.sorted'
Jul  2 10:47:04 tanuki ods-signerd: create_dnskey status: 0
Jul  2 10:47:04 tanuki ods-signerd: equality: True
Jul  2 10:47:04 tanuki ods-signerd: Found key
e7a7a9d2c15b74c6622eb0ff5f15c66fbd3a50eb
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/get_class -f
/var/lib/opendnssec/tmp/udp53.cz.sorted'
Jul  2 10:47:04 tanuki ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/zone_reader -c
/etc/opendnssec/conf.xml -f /var/lib/opendnssec/tmp/udp53.cz.sorted -k
1 -o udp53.cz -s /var/lib/opendnssec/signconf/udp53.cz.xml -w
/var/lib/opendnssec/tmp/udp53.cz.nsecced -x
/var/lib/opendnssec/tmp/udp53.cz.optout'
Jul  2 10:47:04 tanuki ods-signerd: Writing file to zone_reader:
/var/lib/opendnssec/tmp/udp53.cz.sorted
Jul  2 10:47:04 tanuki ods-signerd: stderr from zone_reader: could not
find key ce818684147fa84eeab2264fed275277
Jul  2 10:47:04 tanuki ods-signerd: stderr from zone_reader: error
creating DNSKEYs for zone 'udp53.cz'
Jul  2 10:47:04 tanuki ods-signerd: stderr from zone_reader: Error,
unable to publish DNSKEYs for zone udp53.cz


So my conclusion is that I have imported same key under different
CKA_ID and signer used them both, and that created the error.

Ondrej

2010/7/2 Alex Dalitz <AlexD at nominet.org.uk>:
>>> - I was able to create such a mess in the keys for udp53.cz, that I
>>> had to disable auditor :)
>>
>> We should have a look on this.
>
>
> Sorry - I forgot to say that I have been in contact with Ondrej off-list. Unfortunately, the original signed file has been lost, so it is impossible to be certain about the effect, let alone the cause. However, we suspect that the system may have become so deeply confused (we really need to work on deleting and re-adding zones, which currently has some issues), that the signer may not have done The Right Thing.
>
> HTH
>
>
> Alex.



-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/



More information about the Opendnssec-user mailing list