[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Nov 14 07:37:26 UTC 2013
Hi!
I have a strange problem. ODS 1.3.15 with nCipher HSM. The HSM is
splitted into respoitories, with every zone signed by ODS having their
own repository with keys. For some zones, everything works fine, but for
some zones, ODS uses a different key for signing than it reports with
ods-ksmutil.
Output (zonename changed):
# ods-ksmutil key export --zone myzone
;active KSK DNSKEY record:
myzone. 3600 IN DNSKEY 257 3 8
AwEAAaLK30ioBC5UjbeIlRwBJdnHPNeFyVtzpa/8a7F5gUiejwQ4YNgjzQYxuP0rumR76qjC1ymTD+cxqQNv2HyjhpYkOqwz2KVeppjTg9qvPYAohVAQ58oB03LAaCl4RqrWbdKQc5DJIB93PMYt5F7r3CPdX6Bn1Y2b+r9TXT2qhCi9bovhir8aJPXxSmAUJnKNe+5bXABO19Ow+Kq/ctZFdAFNWUT+2VJwndVtIDGyKSRrCKbLlRUmWkm2Phdy9guRl20oEQIzrTR1lqtoeEmR8VBeZbbvn+ta8zYVrczn4HxrVjsmXLOZGs61Y3ttI/079Xm4Gbifky6wIgWao3Rc7Yc=
;{id = 23090 (ksk), size = 2048b}
But the signed zone contains this DNSKEYs:
myzone. 3600 IN DNSKEY 256 3 8
AwEAAcKZ7kF6xNly1CUnWA2O2FQq7OyxpriquzNDpkE8B6WZva9iXL9G9tEpjTZ9JuXYzNSE14SVaOlQpUEOvac6yhnEQr0F1yByNvT24nHqzXNm5mi1KiSw+tShD4J8WcHoijc0MnBASY5/1wkxSTjtpJ3X66lfpmV4thwcaXL65tWX
;{id = 52635 (zsk), size = 1024b}
myzone. 3600 IN DNSKEY 257 3 8
AwEAAbwO+C3LvFnin99yYqY6zcnbIh5bwaTC57MlBN90RKfAAD61SbqCkLRP/IX3Nje2//0cGIt2R9+QoUGIKS0+KXpjOhoWS7dPVAUV/teYP0Y2JybsTZ0bfh+TQBqjxu68VuzAglnSFviAjM/I513tVh+pg4o/26cy/eShPzvvnruvDYrRUpuI3JBIzGPN9wTtydoht5rWHRgQ7exAU49BvkR3IvbzsxU/CZdZVw7n+Q2RZdODdMUiNjhrJDI1LVHCVlxpOCtC38KOpY4jCiuuoiY8sMEEF+OHc6zkxBmZn0YEqo8jEOEK9UZSHOTYhiXC9ymT711g+wOKX2Krm+AbPRU=
;{id = 39445 (ksk), size = 2048b}
You see, the keytags (and keys) are different.
The signatures in the signed zone are all correct (verified with bind's
dnssec-verify).
Any ideas why ods-ksmutil reports a wrong key? Any hints how I can debug
the problem?
Thanks
Klaus
More information about the Opendnssec-user
mailing list