[Opendnssec-user] key ID inconsistency

Wed Jul 7 11:49:32 UTC 2010

On 7 jul 2010, at 09.59, Pierre Lebrech wrote:

> $ ods-ksmutil key export -z titi.com --keytype KSK --keystate dspublish
> SQLite database set to: /var/opendnssec/kasp.db
> 
> ;dspublish KSK DNSKEY record:
> titi.com.       3600    IN      DNSKEY  257 3 7
> AwEAAeN/vCwFhhtKNC9G1fQBdFxSZtqFtNMo4GbLGfO1FdDX15OXTW+FtW2zXj+HBsojlYczjrSY7AtxPo7TpmK9UfLmJH/ayDM47zKHA+bYNH+HAPtDk3TX1BbE3lRPQRH/cPGzBKdhM9Q+r3B+6lt0lcgWtlPbdHGz3MiKTpYnrOwAFr0RwcgmazenQUe/qd9oV1YovtyZYfFqG9T5TW30XfVBbVind2RYjDW+bC598HBN797OHOZF/FSGU4zv711aJYDfcpXypYu01P3kQ5hAO0/M2pM/HybHhe9W56m2FfnQEyJCG2rDUgY6lR65x4l6/eO4M9HQsMCfuw4BBKvnbBc=
> ;{id = 41116 (ksk), size = 2048b}
> 
> OK and now I call ods-hsmutil :
> 
> $ ods-hsmutil dnskey 9821a32b2053e075d8c94eecef366eda titi.com
> titi.com.       3600    IN      DNSKEY  256 3 5
> AwEAAeN/vCwFhhtKNC9G1fQBdFxSZtqFtNMo4GbLGfO1FdDX15OXTW+FtW2zXj+HBsojlYczjrSY7AtxPo7TpmK9UfLmJH/ayDM47zKHA+bYNH+HAPtDk3TX1BbE3lRPQRH/cPGzBKdhM9Q+r3B+6lt0lcgWtlPbdHGz3MiKTpYnrOwAFr0RwcgmazenQUe/qd9oV1YovtyZYfFqG9T5TW30XfVBbVind2RYjDW+bC598HBN797OHOZF/FSGU4zv711aJYDfcpXypYu01P3kQ5hAO0/M2pM/HybHhe9W56m2FfnQEyJCG2rDUgY6lR65x4l6/eO4M9HQsMCfuw4BBKvnbBc=
> ;{id = 41113 (zsk), size = 2048b}
> 
> 
> 
> In this last result, I am surprised by the answer : the ID I get is 41113 (ZSK : 256). Well,
> the key is correct though.

The difference in the key tag is because the first key is marked as KSK using RSASHA1-NSEC3-SHA1 and the second key is marked as ZSK using RSASHA1 (but the key tag is only a comment to the DNSKEY). The reason to this difference is because the HSM does not know the difference between a KSK, ZSK, RSA with NSEC, or NSEC with NSEC3. The logic for this is in the Enforcer. Thus should there be some extra flags given to the ods-hsmutil command where you state if the key is a KSK or ZSK and what algo you are using (e.g. can a RSA key be used for algo 5, 7, 8, 10), but I see that we have to implement that.

The output from ods-ksmutil is what is correct.

// Rickard