[Opendnssec-user] OpenDNSSEC and multiple repositories

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Sep 6 06:20:16 UTC 2010 

The problem is that we use the token label as the unique identifier for the HSM and not the label and pin pair. We connect to the first occurrence of the token label.

// Rickard

6 sep 2010 kl. 07:09 skrev "Sebastian Castro" <sebastian at nzrs.net.nz>:

> Hi:
> 
> During our internal testing with OpenDNSSEC, we found a weird behavior.
> 
> My environment is a Linux Debian Squeeze box running OpenDNSSEC 1.1.0
> from packages with an SCA6000 HSM.
> 
> We created three users in the keystore with the objective of supporting
> three different repositories for OpenDNSSEC, one per policy.
> 
> We tested the correct HSM operation using the native PKCS#11 tools such
> as pkcs11-list, pkcs11-keygen and pkcs11-destroy and it worked properly
> with all three users.
> 
> With the following repository definition, things go well
> 
>        <RepositoryList>
> 
>                <Repository name="SCA-nz-TLD">
>                        <Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
>                        <TokenLabel>nz-dnssec-keystore</TokenLabel>
>                        <PIN>nz-tld:WieCi2Aeyo</PIN>
>                        <Capacity>1000</Capacity>
>                </Repository>
>        </RepositoryList>
> 
> 
> you can run ods-hsmutil:
> 
> ods-hsmutil -v list  SCA-nz-TLD
> Listing keys in repository: SCA-nz-TLD
> 0 keys found.
> 
> Repository            ID                                Type
> ----------            --                                ----
> 
> 
> Generate a few keys using ods-ksmutil
> 
> ods-ksmutil key generate --policy nz-TLD --interval P1M
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Key sharing is On
> Warning: converting P1M to seconds may not give what you expect
> HSM opened successfully.
> Created ZSK size: 1024, alg: 7 with id: 438eaf63db9144ab5512d25da363af60
> in repository: SCA-nz-TLD and database.
> Created ZSK size: 1024, alg: 7 with id: cf9d92b5111bf941a9c51f0300555214
> in repository: SCA-nz-TLD and database.
> 
> then see the keys using ods-hsmutil
> 
> ods-hsmutil -v list  SCA-nz-TLD
> Listing keys in repository: SCA-nz-TLD
> 2 keys found.
> 
> Repository            ID                                Type
> ----------            --                                ----
> SCA-nz-TLD            438eaf63db9144ab5512d25da363af60  RSA/1024
> SCA-nz-TLD            cf9d92b5111bf941a9c51f0300555214 RSA/1024
> 
> But, when we add a repository in the conf.xml file, ods-hsmutil starts
> to do some strange things.
> 
> The new repository looks like this:
> 
>                <Repository name="SCA-nz-SLD">
>                        <Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
>                        <TokenLabel>nz-dnssec-keystore</TokenLabel>
>                        <PIN>nz-sld:vohph6boKu</PIN>
>                        <Capacity>1000</Capacity>
>                </Repository>
> 
> (note the different name and PIN)
> 
> if you run ods-hsmutil you get
> 
> ods-hsmutil -v list  SCA-nz-TLD
> Unknown error
> 
> If we try the new repository
> 
> ods-hsmutil -v list  SCA-nz-SLD
> Unknown error
> 
> If the first definition is commented to look like the following
> 
>        <RepositoryList>
> 
> <!--
>                <Repository name="SCA-nz-TLD">
>                        <Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
>                        <TokenLabel>nz-dnssec-keystore</TokenLabel>
>                        <PIN>nz-tld:WieCi2Aeyo</PIN>
>                        <Capacity>1000</Capacity>
>                </Repository>
> -->
> 
>                <Repository name="SCA-nz-SLD">
>                        <Module>/usr/lib/pkcs11/PKCS11_API.so</Module>
>                        <TokenLabel>nz-dnssec-keystore</TokenLabel>
>                        <PIN>nz-sld:vohph6boKu</PIN>
>                        <Capacity>1000</Capacity>
>                </Repository>
>        </RepositoryList>
> 
> voila! Issue solved!
> 
> ods-hsmutil -v list  SCA-nz-SLD
> Listing keys in repository: SCA-nz-SLD
> 0 keys found.
> 
> Repository            ID                                Type
> ----------            --                                ----
> 
> 
> ods-hsmutil -v list  SCA-nz-TLD
> hsm_token_attached(): Can't find repository: SCA-nz-TLD
> 
> So repositories individually defined work well, but together break things.
> 
> Documentation indicates multiple repositories can be defined, but it
> doesn't seem to be the case.
> 
> Anyone has seen this before?
> 
> 
> cheers,
> -- 
> Sebastian Castro
> DNS Specialist
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 495 2337
> mobile: +64 21 400535
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list