[Opendnssec-user] Some glitches in OpenDNSSEC

Ondřej Surý ondrej at sury.org
Fri Jun 25 09:41:24 UTC 2010 

Hi,

I have imported couple of already signed domain names and here are
some things I am missing:

- No way how to get rid of a imported key or change a state of already
imported key

- If I delete zone and re-add it later, the keys are lost, but you
cannot re-import keys with same CKA_ID.

- No way how to remove "lost" keys (see previous remark).

- Algorithm rollover is missing? And it's not in the roadmap yet?


- I was able to create such a mess in the keys for udp53.cz, that I
had to disable auditor :)

root at tanuki:/var/lib/opendnssec/signed# ods-ksmutil key list -z udp53.cz
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition:
udp53.cz                        ZSK           active    2010-06-25
11:07:21
udp53.cz                        KSK           active    2010-06-25
11:07:21
udp53.cz                        ZSK           active    2010-06-25
11:07:21
udp53.cz                        KSK           dssub     waiting for
ds-seen
udp53.cz                        KSK           publish   2010-06-26
01:07:25
udp53.cz                        ZSK           publish   2010-06-26
01:07:25
udp53.cz                        ZSK           publish   2010-06-26
01:07:25

root at tanuki:/var/lib/opendnssec/signed# /usr/bin/ods-auditor -c
/etc/opendnssec/conf.xml -s /var/lib/opendnssec/signed/udp53.cz -z
udp53.cz
Auditor started
Auditor starting on udp53.cz
6: SOA differs : from 1 to 1277457652
6: Auditing udp53.cz zone : NSEC SIGNED
3: RRSet (udp53.cz, RRSIG) failed verification : No RRSet to verify, tag = 9005
3: RRSet (udp53.cz, RRSIG) failed verification : No RRSet to verify, tag = 9005
3: RRSet (bis.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
3: RRSet (rfc1034.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
3: RRSet (rfc1035.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
3: RRSet (rfc2627.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
3: RRSet (rfc2821.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
3: RRSet (rfc821.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
3: RRSet (vpn.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
3: RRSet (*.wildcard.udp53.cz, RRSIG) failed verification : No RRSet
to verify, tag = 9005
3: RRSet (www.udp53.cz, RRSIG) failed verification : No RRSet to
verify, tag = 9005
6: Finished auditing udp53.cz zone
Auditor found errors - check log for details

But the key is there:

root at tanuki:/var/lib/opendnssec/signed# cat udp53.cz | grep DNSKEY | grep 9005
udp53.cz.	3600	IN	DNSKEY	256 3 5
BQEAAAABsen6M50jxMSTASNKOLrKBRMPHJC3N2rtefclKkNo3l1LnLkMryX3B9sX/7eo9n67zIqIdA9OZf0V0pBn+HBTB9mZFb0+1OE/37wBOSoGfC9gixoZFQUiZxhOTZRGp8sqeNJQcBgnLTQ1fsIrmA707LKXqUS5N6kLOnBqiiNr/O0=
;{id = 9005 (zsk), size = 1024b}


Maybe the auditor is confused by double ZSK signatures with same Key ID?

# cat udp53.cz | grep -E ^www.udp53.cz | grep -E "RRSIG[[:space:]]CNAME"
www.udp53.cz.	86400	IN	RRSIG	CNAME 5 3 86400 20100702112223
20100625080603 9005 udp53.cz.
rr95qdhoWhTQBN83MEw99gnFBN3KEHH40pUTQOW/xn9XeDXmphpYMIxrb4p8YUnA/JaxxSFg/MgDPTnJ0+kpdGXOD2xEcjU96TKNcZh/Bw6EYkcNvyRh1qW8+bzuridWHwR7SKIEb9w2gxZCwRFt3/Zjb9wZE7Pv4DTQkND/TAM=
;{id = 9005}
www.udp53.cz.	86400	IN	RRSIG	CNAME 5 3 86400 20100702081935
20100625082052 9005 udp53.cz.
MPKPbdW2DBeUiM16qRkv0L8T9oVDTYoTONbQ0eFeNJadAa2MoBYjlZI4wl665V/QEHxkiExne5/u2CKAAbRbkCrAj92F0HvGDCmidSu6IQsVxDUaPOXEnfKMYAIsXFu/M/OJmyFBTskBHMDY9fhCovg9NPaI1FL5i8ijevhC25o=
;{id = 9005}

This is probably some error, which I created using ods-ksmutil key
import, but anyway this is not exactly a bug according to spec.



BTW I have used very rough shell script to import keys from zkt (bit
length is hardcoded, and you may want to use different way how to get
$DATETIME - like stating key file), but it may be usefull to someone:

ZONE=$(basename $(pwd)); for KEY in $(ls -1 *.key); do NAME=$(basename
$KEY .key); ALG=$(cat $KEY | grep DNSKEY | tr -s \  | cut -f 6 -d \ );
if cat $KEY | grep -q 257; then KEYTYPE=KSK; BITS=2048; else
KEYTYPE=ZSK; BITS=1024; fi; DATETIME=$(cat $KEY | grep generationtime
| cut -f 2 -d =); softhsm-keyconv --topkcs8 --in $NAME.private --out
$NAME.pem; CKA_ID=$(sha1sum $NAME.pem | cut -f 1 -d \ ); softhsm
--slot 0 --pin 4785 --import $NAME.pem --label $NAME --id $CKA_ID;
ods-ksmutil key import --cka_id $CKA_ID --repository SoftHSM --zone
$ZONE --bits $BITS --algorithm $ALG --keystate active --keytype
$KEYTYPE --time $DATETIME; done;

-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/

More information about the Opendnssec-user mailing list