[Opendnssec-user] OpenDNSSEC and multiple repositories
Sebastian Castro
sebastian at nzrs.net.nz
Mon Sep 6 05:08:43 UTC 2010
Hi:
During our internal testing with OpenDNSSEC, we found a weird behavior.
My environment is a Linux Debian Squeeze box running OpenDNSSEC 1.1.0
from packages with an SCA6000 HSM.
We created three users in the keystore with the objective of supporting
three different repositories for OpenDNSSEC, one per policy.
We tested the correct HSM operation using the native PKCS#11 tools such
as pkcs11-list, pkcs11-keygen and pkcs11-destroy and it worked properly
with all three users.
With the following repository definition, things go well
<RepositoryList>
<Repository name="SCA-nz-TLD">
<Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
<TokenLabel>nz-dnssec-keystore</TokenLabel>
<PIN>nz-tld:WieCi2Aeyo</PIN>
<Capacity>1000</Capacity>
</Repository>
</RepositoryList>
you can run ods-hsmutil:
ods-hsmutil -v list SCA-nz-TLD
Listing keys in repository: SCA-nz-TLD
0 keys found.
Repository ID Type
---------- -- ----
Generate a few keys using ods-ksmutil
ods-ksmutil key generate --policy nz-TLD --interval P1M
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Key sharing is On
Warning: converting P1M to seconds may not give what you expect
HSM opened successfully.
Created ZSK size: 1024, alg: 7 with id: 438eaf63db9144ab5512d25da363af60
in repository: SCA-nz-TLD and database.
Created ZSK size: 1024, alg: 7 with id: cf9d92b5111bf941a9c51f0300555214
in repository: SCA-nz-TLD and database.
then see the keys using ods-hsmutil
ods-hsmutil -v list SCA-nz-TLD
Listing keys in repository: SCA-nz-TLD
2 keys found.
Repository ID Type
---------- -- ----
SCA-nz-TLD 438eaf63db9144ab5512d25da363af60 RSA/1024
SCA-nz-TLD cf9d92b5111bf941a9c51f0300555214 RSA/1024
But, when we add a repository in the conf.xml file, ods-hsmutil starts
to do some strange things.
The new repository looks like this:
<Repository name="SCA-nz-SLD">
<Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
<TokenLabel>nz-dnssec-keystore</TokenLabel>
<PIN>nz-sld:vohph6boKu</PIN>
<Capacity>1000</Capacity>
</Repository>
(note the different name and PIN)
if you run ods-hsmutil you get
ods-hsmutil -v list SCA-nz-TLD
Unknown error
If we try the new repository
ods-hsmutil -v list SCA-nz-SLD
Unknown error
If the first definition is commented to look like the following
<RepositoryList>
<!--
<Repository name="SCA-nz-TLD">
<Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
<TokenLabel>nz-dnssec-keystore</TokenLabel>
<PIN>nz-tld:WieCi2Aeyo</PIN>
<Capacity>1000</Capacity>
</Repository>
-->
<Repository name="SCA-nz-SLD">
<Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
<TokenLabel>nz-dnssec-keystore</TokenLabel>
<PIN>nz-sld:vohph6boKu</PIN>
<Capacity>1000</Capacity>
</Repository>
</RepositoryList>
voila! Issue solved!
ods-hsmutil -v list SCA-nz-SLD
Listing keys in repository: SCA-nz-SLD
0 keys found.
Repository ID Type
---------- -- ----
ods-hsmutil -v list SCA-nz-TLD
hsm_token_attached(): Can't find repository: SCA-nz-TLD
So repositories individually defined work well, but together break things.
Documentation indicates multiple repositories can be defined, but it
doesn't seem to be the case.
Anyone has seen this before?
cheers,
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user
mailing list