[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil

Klaus Darilion klaus.mailinglists at pernau.at
Thu Nov 14 08:37:13 UTC 2013 

Some more debugging:

# ods-hsmutil list| grep repo | grep 2048
repo  16fc0831b9e0738059c02291e0b0a140  RSA/2048 <-reported by ksmutil
repo  ddc556f6df689c9801028b1c6db47ed7  RSA/2048 <- used by signer
repo  b48880c4432ef4763b5549f947786440  RSA/2048

In /var/lib/opendnssec/signconf/myzone.xml is configured:

           <Key>
             <Flags>257</Flags>
               <Algorithm>8</Algorithm>
                  <Locator>16fc0831b9e0738059c02291e0b0a140</Locator>
                  <KSK />
                  <Publish />
               </Key>

but ods uses the ddc556f6df689c9801028b1c6db47ed7 key for signing. The 
ddc556f6df689c9801028b1c6db47ed7 is also not in the kasp.db file, 
nevertheless used.

In /var/lib/opendnssec/tmp/myzone.backup if see a reference to the 
ddc556f6df689c9801028b1c6db47ed7 key:
;;Key: locator ddc556f6df689c9801028b1c6db47ed7 algorithm 8 flags 257 
publish 1 ksk 1 zsk 0


I think ddc556f6df689c9801028b1c6db47ed7 was used before the last KSK, 
but why is it still used for signing although the enforcer instructs to 
use the new key?


Meanwhile I restarted the ods-signer daemon and after the next zone file 
update, ods signed with the correct key. So for now it is fixed, but do 
you have any ideas why the signer still used the old KSK after the KSK 
rollover?


Thanks
Klaus


On 14.11.2013 08:37, Klaus Darilion wrote:
> Hi!
>
> I have a strange problem. ODS 1.3.15 with nCipher HSM. The HSM is
> splitted into respoitories, with every zone signed by ODS having their
> own repository with keys. For some zones, everything works fine, but for
> some zones, ODS uses a different key for signing than it reports with
> ods-ksmutil.
>
> Output (zonename changed):
>
> # ods-ksmutil key export --zone myzone
> ;active KSK DNSKEY record:
> myzone.   3600    IN      DNSKEY  257 3 8
> AwEAAaLK30ioBC5UjbeIlRwBJdnHPNeFyVtzpa/8a7F5gUiejwQ4YNgjzQYxuP0rumR76qjC1ymTD+cxqQNv2HyjhpYkOqwz2KVeppjTg9qvPYAohVAQ58oB03LAaCl4RqrWbdKQc5DJIB93PMYt5F7r3CPdX6Bn1Y2b+r9TXT2qhCi9bovhir8aJPXxSmAUJnKNe+5bXABO19Ow+Kq/ctZFdAFNWUT+2VJwndVtIDGyKSRrCKbLlRUmWkm2Phdy9guRl20oEQIzrTR1lqtoeEmR8VBeZbbvn+ta8zYVrczn4HxrVjsmXLOZGs61Y3ttI/079Xm4Gbifky6wIgWao3Rc7Yc=
> ;{id = 23090 (ksk), size = 2048b}
>
>
> But the signed zone contains this DNSKEYs:
> myzone.   3600    IN      DNSKEY  256 3 8
> AwEAAcKZ7kF6xNly1CUnWA2O2FQq7OyxpriquzNDpkE8B6WZva9iXL9G9tEpjTZ9JuXYzNSE14SVaOlQpUEOvac6yhnEQr0F1yByNvT24nHqzXNm5mi1KiSw+tShD4J8WcHoijc0MnBASY5/1wkxSTjtpJ3X66lfpmV4thwcaXL65tWX
> ;{id = 52635 (zsk), size = 1024b}
> myzone.   3600    IN      DNSKEY  257 3 8
> AwEAAbwO+C3LvFnin99yYqY6zcnbIh5bwaTC57MlBN90RKfAAD61SbqCkLRP/IX3Nje2//0cGIt2R9+QoUGIKS0+KXpjOhoWS7dPVAUV/teYP0Y2JybsTZ0bfh+TQBqjxu68VuzAglnSFviAjM/I513tVh+pg4o/26cy/eShPzvvnruvDYrRUpuI3JBIzGPN9wTtydoht5rWHRgQ7exAU49BvkR3IvbzsxU/CZdZVw7n+Q2RZdODdMUiNjhrJDI1LVHCVlxpOCtC38KOpY4jCiuuoiY8sMEEF+OHc6zkxBmZn0YEqo8jEOEK9UZSHOTYhiXC9ymT711g+wOKX2Krm+AbPRU=
> ;{id = 39445 (ksk), size = 2048b}
>
> You see, the keytags (and keys) are different.
>
> The signatures in the signed zone are all correct (verified with bind's
> dnssec-verify).
>
> Any ideas why ods-ksmutil reports a wrong key? Any hints how I can debug
> the problem?
>
> Thanks
> Klaus
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list