[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Nov 14 08:57:04 UTC 2013 

Hi Klaus,

On 11/14/2013 09:37 AM, Klaus Darilion wrote:
> Some more debugging:
> 
> # ods-hsmutil list| grep repo | grep 2048
> repo  16fc0831b9e0738059c02291e0b0a140  RSA/2048 <-reported by ksmutil
> repo  ddc556f6df689c9801028b1c6db47ed7  RSA/2048 <- used by signer
> repo  b48880c4432ef4763b5549f947786440  RSA/2048
> 
> In /var/lib/opendnssec/signconf/myzone.xml is configured:
> 
>           <Key>
>             <Flags>257</Flags>
>               <Algorithm>8</Algorithm>
>                  <Locator>16fc0831b9e0738059c02291e0b0a140</Locator>
>                  <KSK />
>                  <Publish />
>               </Key>
> 
> but ods uses the ddc556f6df689c9801028b1c6db47ed7 key for signing. The
> ddc556f6df689c9801028b1c6db47ed7 is also not in the kasp.db file,
> nevertheless used.
> 
> In /var/lib/opendnssec/tmp/myzone.backup if see a reference to the
> ddc556f6df689c9801028b1c6db47ed7 key:
> ;;Key: locator ddc556f6df689c9801028b1c6db47ed7 algorithm 8 flags 257
> publish 1 ksk 1 zsk 0
> 
> 
> I think ddc556f6df689c9801028b1c6db47ed7 was used before the last KSK,
> but why is it still used for signing although the enforcer instructs to
> use the new key?

Obviously, the signer missed the update of the signconf, but the real
question is why this happened (or in this case why something did not
happen).

Note than if the signer restarts, it reads its state from the backup
files and does not look at the signconf files. In other words, if there
are backup files for the zone, the signer requires an explicit update
command to read the signconf files.

> Meanwhile I restarted the ods-signer daemon and after the next zone file
> update, ods signed with the correct key. So for now it is fixed, but do
> you have any ideas why the signer still used the old KSK after the KSK
> rollover?

Can you perhaps provide logs (off list if you wish)?


Best regards,
  Matthijs


> 
> 
> Thanks
> Klaus
> 
> 
> On 14.11.2013 08:37, Klaus Darilion wrote:
>> Hi!
>>
>> I have a strange problem. ODS 1.3.15 with nCipher HSM. The HSM is
>> splitted into respoitories, with every zone signed by ODS having their
>> own repository with keys. For some zones, everything works fine, but for
>> some zones, ODS uses a different key for signing than it reports with
>> ods-ksmutil.
>>
>> Output (zonename changed):
>>
>> # ods-ksmutil key export --zone myzone
>> ;active KSK DNSKEY record:
>> myzone.   3600    IN      DNSKEY  257 3 8
>> AwEAAaLK30ioBC5UjbeIlRwBJdnHPNeFyVtzpa/8a7F5gUiejwQ4YNgjzQYxuP0rumR76qjC1ymTD+cxqQNv2HyjhpYkOqwz2KVeppjTg9qvPYAohVAQ58oB03LAaCl4RqrWbdKQc5DJIB93PMYt5F7r3CPdX6Bn1Y2b+r9TXT2qhCi9bovhir8aJPXxSmAUJnKNe+5bXABO19Ow+Kq/ctZFdAFNWUT+2VJwndVtIDGyKSRrCKbLlRUmWkm2Phdy9guRl20oEQIzrTR1lqtoeEmR8VBeZbbvn+ta8zYVrczn4HxrVjsmXLOZGs61Y3ttI/079Xm4Gbifky6wIgWao3Rc7Yc=
>>
>> ;{id = 23090 (ksk), size = 2048b}
>>
>>
>> But the signed zone contains this DNSKEYs:
>> myzone.   3600    IN      DNSKEY  256 3 8
>> AwEAAcKZ7kF6xNly1CUnWA2O2FQq7OyxpriquzNDpkE8B6WZva9iXL9G9tEpjTZ9JuXYzNSE14SVaOlQpUEOvac6yhnEQr0F1yByNvT24nHqzXNm5mi1KiSw+tShD4J8WcHoijc0MnBASY5/1wkxSTjtpJ3X66lfpmV4thwcaXL65tWX
>>
>> ;{id = 52635 (zsk), size = 1024b}
>> myzone.   3600    IN      DNSKEY  257 3 8
>> AwEAAbwO+C3LvFnin99yYqY6zcnbIh5bwaTC57MlBN90RKfAAD61SbqCkLRP/IX3Nje2//0cGIt2R9+QoUGIKS0+KXpjOhoWS7dPVAUV/teYP0Y2JybsTZ0bfh+TQBqjxu68VuzAglnSFviAjM/I513tVh+pg4o/26cy/eShPzvvnruvDYrRUpuI3JBIzGPN9wTtydoht5rWHRgQ7exAU49BvkR3IvbzsxU/CZdZVw7n+Q2RZdODdMUiNjhrJDI1LVHCVlxpOCtC38KOpY4jCiuuoiY8sMEEF+OHc6zkxBmZn0YEqo8jEOEK9UZSHOTYhiXC9ymT711g+wOKX2Krm+AbPRU=
>>
>> ;{id = 39445 (ksk), size = 2048b}
>>
>> You see, the keytags (and keys) are different.
>>
>> The signatures in the signed zone are all correct (verified with bind's
>> dnssec-verify).
>>
>> Any ideas why ods-ksmutil reports a wrong key? Any hints how I can debug
>> the problem?
>>
>> Thanks
>> Klaus
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list