[Opendnssec-user] Duplicate keys
Casper Gielen
C.Gielen at uvt.nl
Thu Oct 13 10:00:42 UTC 2011
On 13-10-11 10:50, Matthijs Mekking wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Casper,
>
> The enforcer manages the keys, but the logs below only show the signer
> logs. Do you have any logs on the enforcer?
I've included the relevant part below.
>
> Also, I would be interested in what keys are visible in the signer
> configurations. Could you show me one?
I'm not sure if I understand the question. I guess you mean the file from
/var/lib/opendnssec/signconf/ . I've included it at the end of this mail.
FYI I stopped replacing the hiding the real domainname. This is a test-environment
and the keys will never be used in production (nor the rest of this system).
I've also tried to manually generate some keys but without success, as you can see below.
>
> Obviously from the logs, the signer cannot handle duplicate keys. I will
> take a look how I can make this more robust.
Oct 13 11:36:58 metagross ods-enforcerd: Zone hetnieuwemarketingdenken.nl found.
Oct 13 11:36:58 metagross ods-enforcerd: Policy for hetnieuwemarketingdenken.nl set to default.
Oct 13 11:36:58 metagross ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/hetnieuwemarketingdenken.nl.xml.
Oct 13 11:36:58 metagross ods-enforcerd: Not enough keys to satisfy ksk policy for zone: hetnieuwemarketingdenken.nl
Oct 13 11:36:58 metagross ods-enforcerd: ods-enforcerd will create some more keys on its next run
Oct 13 11:36:58 metagross ods-enforcerd: Error allocating ksks to zone hetnieuwemarketingdenken.nl
root at metagross:~# ps aux|grep enforce
root 11932 0.0 0.1 76400 15876 ? Ss Sep29 7:46 /usr/sbin/ods-enforcerd
# runs as root, so it's not a permission-problem
root at metagross:~# ods-ksmutil key generate --policy default --interval -P3M
MySQL database host set to: localhost
MySQL database port set to: 3306
MySQL database schema set to: opendnssec
MySQL database user set to: opendnssec
MySQL database password set
Key sharing is Off
Info: converting -P3M to seconds; M interpreted as 31 days, Y interpreted as 365 days
HSM opened successfully.
NOTE: keys generated in repository LocalHSM will not become active until they have been backed up
all done! hsm_close result: 0
root at metagross:~# backup-dnssec
root at metagross:~# ods-enforcerd -1
Oct 13 11:50:43 metagross ods-enforcerd: Zone hetnieuwemarketingdenken.nl found.
Oct 13 11:50:43 metagross ods-enforcerd: Policy for hetnieuwemarketingdenken.nl set to default.
Oct 13 11:50:43 metagross ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/hetnieuwemarketingdenken.nl.xml.
Oct 13 11:50:43 metagross ods-enforcerd: Not enough keys to satisfy ksk policy for zone: hetnieuwemarketingdenken.nl
Oct 13 11:50:43 metagross ods-enforcerd: ods-enforcerd will create some more keys on its next run
Oct 13 11:50:43 metagross ods-enforcerd: Error allocating ksks to zone hetnieuwemarketingdenken.nl
root at metagross:/var/lib/opendnssec/signconf# cat hetnieuwemarketingdenken.nl.xml
<SignerConfiguration>
<Zone name="hetnieuwemarketingdenken.nl">
<Signatures>
<Resign>PT7200S</Resign>
<Refresh>PT259200S</Refresh>
<Validity>
<Default>PT604800S</Default>
<Denial>PT604800S</Denial>
</Validity>
<Jitter>PT43200S</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt>89f99a02f6a1f3dc</Salt>
</Hash>
</NSEC3>
</Denial>
<Keys>
<TTL>PT3600S</TTL>
<Key>
<Flags>257</Flags>
<Algorithm>8</Algorithm>
<Locator>e06cf9d3ed0cd8d97aaf12f3268a4c6e</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>257</Flags>
<Algorithm>8</Algorithm>
<Locator>e06cf9d3ed0cd8d97aaf12f3268a4c6e</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>257</Flags>
<Algorithm>8</Algorithm>
<Locator>8d385ee76bd0e5c57737cfa8ea79e91a</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>257</Flags>
<Algorithm>8</Algorithm>
<Locator>8d385ee76bd0e5c57737cfa8ea79e91a</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>257</Flags>
<Algorithm>8</Algorithm>
<Locator>9acc30a8dd26e740eafbbb3a2141aad8</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>257</Flags>
<Algorithm>8</Algorithm>
<Locator>9acc30a8dd26e740eafbbb3a2141aad8</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>8</Algorithm>
<Locator>b072a28ed19f9409923cce2291e9f23c</Locator>
<ZSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>8</Algorithm>
<Locator>b072a28ed19f9409923cce2291e9f23c</Locator>
<ZSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>8</Algorithm>
<Locator>03f59dd7501fc42f5a06abf08c240c39</Locator>
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>8</Algorithm>
<Locator>03f59dd7501fc42f5a06abf08c240c39</Locator>
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>8</Algorithm>
<Locator>c67cbeb7ee14e21a099d833b27b15b7b</Locator>
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>8</Algorithm>
<Locator>c67cbeb7ee14e21a099d833b27b15b7b</Locator>
<Publish />
</Key>
</Keys>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>datecounter</Serial>
</SOA>
<Audit />
</Zone>
</SignerConfiguration>
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user
mailing list