[Opendnssec-user] ods uses a different key for signing than reported by ods-ksmutil

Klaus Darilion klaus.mailinglists at pernau.at
Thu Nov 14 13:26:55 UTC 2013



On 14.11.2013 09:57, Matthijs Mekking wrote:
> Hi Klaus,
>
> On 11/14/2013 09:37 AM, Klaus Darilion wrote:
>> Some more debugging:
>>
>> # ods-hsmutil list| grep repo | grep 2048
>> repo  16fc0831b9e0738059c02291e0b0a140  RSA/2048 <-reported by ksmutil
>> repo  ddc556f6df689c9801028b1c6db47ed7  RSA/2048 <- used by signer
>> repo  b48880c4432ef4763b5549f947786440  RSA/2048
>>
>> In /var/lib/opendnssec/signconf/myzone.xml is configured:
>>
>>            <Key>
>>              <Flags>257</Flags>
>>                <Algorithm>8</Algorithm>
>>                   <Locator>16fc0831b9e0738059c02291e0b0a140</Locator>
>>                   <KSK />
>>                   <Publish />
>>                </Key>
>>
>> but ods uses the ddc556f6df689c9801028b1c6db47ed7 key for signing. The
>> ddc556f6df689c9801028b1c6db47ed7 is also not in the kasp.db file,
>> nevertheless used.
>>
>> In /var/lib/opendnssec/tmp/myzone.backup if see a reference to the
>> ddc556f6df689c9801028b1c6db47ed7 key:
>> ;;Key: locator ddc556f6df689c9801028b1c6db47ed7 algorithm 8 flags 257
>> publish 1 ksk 1 zsk 0
>>
>>
>> I think ddc556f6df689c9801028b1c6db47ed7 was used before the last KSK,
>> but why is it still used for signing although the enforcer instructs to
>> use the new key?
>
> Obviously, the signer missed the update of the signconf, but the real
> question is why this happened (or in this case why something did not
> happen).
>
> Note than if the signer restarts, it reads its state from the backup
> files and does not look at the signconf files. In other words, if there
> are backup files for the zone, the signer requires an explicit update
> command to read the signconf files.

The rollover was on 2013-10-30. I see from the KSK rollover protocoll 
that ods-ksmutil reported the old key as "retire" and the new as 
"active". But the zone still was signed with the old key.

So, if the signer missed this update of the signconf, does this mean 
that this error would have persisted until the next update?

But I restarted ods-signerd and this solved the problem, although the 
.backup file still referenced the old key. But this would mean that the 
signer after all checked the signconf on startup.

>> Meanwhile I restarted the ods-signer daemon and after the next zone file
>> update, ods signed with the correct key. So for now it is fixed, but do
>> you have any ideas why the signer still used the old KSK after the KSK
>> rollover?
>
> Can you perhaps provide logs (off list if you wish)?

We have syslog logging, but this is rather quiet. Is there anything 
special for which I should look?

regards
Klaus




More information about the Opendnssec-user mailing list