[Opendnssec-user] ksk-roll bug or misunderstanding?

Tom Hendrikx tom at whyscream.net
Mon Mar 15 14:22:13 UTC 2010 

sion at nominet.org.uk wrote:
>> I am trying to do a ksk-roll om an imported zone (previously managed
>> manually), but something seems to go wrong.  Transition process was done
>> just as defined on the "Using OpenDNSSEC" web page. What I did:
> 
> So one thing is there is a bug in v1.0.0 where the key import doesn't work
> correctly. I suspect this to be the case from the output:
> 
>> SQLite database set to: /var/lib/opendnssec/kasp.db
>> tomhendrikx.nl                  KSK           active
>> �9گT.G�`CG��Xگ�9گ��9�  a2                                softHSM
>>                    4665
>> tomhendrikx.nl                  KSK           ready     next rollover
>>           6e6919ffc1d34ccc8f14c338d7ff843b  softHSM
>>       47140
> 
> where the random string output is a sign of the import bug.
> 
> There are 2 things that I can suggest; firstly try the code in trunk and
> redo the import. If that is not practical for you then if you specify the
> retire time of the key as you import it the bug should not be hit.
> 
> If these steps do not work, and if you are willing, could you send me a
> copy of your kasp.db off-list? I will see if there is another issue that
> might cause the rollover to fail.
> 
> Thank you.
> 
> Sion

Hi,

I think that I used the invalid date format 2009-07-05 in my original
test. So I tried to reproduce this on a test setup:

[Test 1]: ods/1.0.0, softhsm/1.1.3 install, using a valid date format
during import:

# softhsm --import tomhendrikx.nl.ksk-04665.pem --slot 0 --label a1 --id
a1 --pin 1234
The key pair has been imported to the token in slot 0.
# ods-hsmutil list
Listing keys in all repositories.
1 key found.

Repository            ID                                Type
----------            --                                ----
softHSM               a1                                RSA/4096

# ods-ksmutil key import --cka_id a1 --repository softHSM --zone
tomhendrikx.nl --bits 4096 --keystate active --algorithm 7 --keytype ksk
--time 20090705
SQLite database set to: /var/lib/opendnssec/kasp.db
Key imported into zone(s)
julie-admin tomhendr # ods-ksmutil key list
        SQLite database set to: /var/lib/opendnssec/kasp.db
                Keys:
Zone:                           Keytype:      State:    Date of next
transition:
tomhendrikx.nl                  KSK           active    ��T�;�`�;������i.�

Thus, using a valid date format on 1.0.0 makes no difference here.

[Test 2]: ods/trunk at r3053, softhsm/1.1.3 install

# ods-ksmutil key import --cka_id a1 --repository softHSM --zone
tomhendrikx.nl --bits 4096 --keystate active --algorithm 7 --keytype ksk
--time 20090705
SQLite database set to: /var/lib/opendnssec/kasp.db
Key imported into zone(s)

# ods-ksmutil key list
SQLite database set to: /var/lib/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
tomhendrikx.nl                  KSK           active    2010-07-05
00:00:00       a1                                softHSM
           4665
tomhendrikx.nl                  KSK           publish   2010-03-16
05:16:10       fb146c974c3f2246b97f04b3210a9925  softHSM
           7116

This looks better. I'll try a ksk-roll with this key and see if the date
format has any influence.

Thanks for the help so far.

--
Regards,
	Tom

More information about the Opendnssec-user mailing list