[Opendnssec-user] signer does not find a key

Matthijs Mekking matthijs at pletterpet.nl
Tue Dec 16 10:18:04 UTC 2014 

Hi Emil,

Short: I tried to simulate your use case (with SoftHSM, on
ubuntu-trusty-64 VM), but it seems to work for me. Perhaps I used
slightly different commands? Can you share your used commands?

Best regards,
  Matthijs


Audit trail:

I started with Keys:
Zone:                  Keytype:      State:    Date of next transition:
example.com            KSK           publish   2014-12-16 23:55:02
example.com            ZSK           active    2015-03-16 09:55:02

On 16-12-14 08:54, Emil Natan wrote:
> Good morning,
> 
> I have a test environment with ODS 1.4.6 and Keyper HSM where signing
> zones was working until I decided to remove all keys and start from scratch.
> I removed all keys with "ods-hsmutil purge"\

$ sudo ods-hsmutil purge SoftHSM
Purging all keys from repository: SoftHSM
2 keys found.

Are you sure you want to remove ALL keys from repository SoftHSM ?
(YES/NO) YES

Starting purge...
Key remove successful: 816416e1255a1724021895b531c0e313
Key remove successful: 615ef6c218cc6bc6d714a0742a07617b
Purge done.


> reinitialized the HSM\

Don't think this is necessary, but okay:

$ sudo softhsm --init-token --slot 0 --label "OpenDNSSEC"
The SO PIN must have a length between 4 and 255 characters.
Enter SO PIN:
The user PIN must have a length between 4 and 255 characters.
Enter user PIN:
The token has been initialized.


> removed the single zone I used to sign\

$ sudo ods-ksmutil zone delete --zone example.com
zonelist filename set to /etc/opendnssec/zonelist.xml.
Zone list updated: 1 removed, 0 added, 0 updated.


> reinitialized the database "ods-ksmutil setup"\

I think you should first stop the opendnssec service, but I will not do
that now:

$ sudo ods-ksmutil setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
fixing permissions on file /var/opendnssec/kasp.db
zonelist filename set to /etc/opendnssec/zonelist.xml.
kasp filename set to /etc/opendnssec/kasp.xml.
Repository SoftHSM found
No Maximum Capacity set.
RequireBackup NOT set; please make sure that you know the potential
problems of using keys which are not recoverable
INFO: The XML in /etc/opendnssec/conf.xml is valid
INFO: The XML in /etc/opendnssec/zonelist.xml is valid
INFO: The XML in /etc/opendnssec/kasp.xml is valid
WARNING: In policy default, Y used in duration field for Keys/KSK
Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as
365 days
WARNING: In policy lab, Y used in duration field for Keys/KSK Lifetime
(P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
Policy default found
Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted
as 365 days
Policy lab found
Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted
as 365 days


> pregenerated new keys\

But you have no zones currently (you removed the single zone)?

$ sudo ods-ksmutil key generate --policy default --interval P1Y
Key sharing is Off
Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted
as 365 days
HSM opened successfully.
Info: 0 zone(s) found on policy "default"
No zones on policy default, skipping...


> added a zone\

$ sudo ods-ksmutil zone add --zone example.com
zonelist filename set to /etc/opendnssec/zonelist.xml.
Imported zone: example.com


> updated, restarted all services.

$ sudo ods-control stop
Stopping enforcer...
Stopping signer engine...
Engine shut down.

$ sudo ods-control start
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.4.6), pid 28343
Starting signer engine...
OpenDNSSEC signer engine version 1.4.6
Engine running.

> Everything seems to worked well, but the signer does not find one of the
> keys to sign the zone, more specifically the KSK. I went the above
> process few times, always ending with:
> 
> Dec 16 09:40:27 debugsigner002 ods-signerd: [hsm] unable to get key: key
> f81e4b2cb33eec780320b6ceeb6f6bb8 not found
> Dec 16 09:40:27 debugsigner002 ods-signerd: [zone] unable to publish
> dnskeys for zone XXX: error creating dnskey
> Dec 16 09:40:27 debugsigner002 ods-signerd: [tools] unable to read zone
> XXX: failed to publish dnskeys (General error)
> Dec 16 09:40:27 debugsigner002 ods-signerd: [worker[4]] CRITICAL: failed
> to sign zone XXX: General error

For me, it finds the old key in the
`/var/opendnssec/tmp/example.com.backup2` file and decides it is corrupted:

Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [hsm] libhsm
connection opened succesfully
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [engine] signer
started (version 1.4.6), pid 28355
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [hsm] unable to
get key: key 615ef6c218cc6bc6d714a0742a07617b not found
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [zone] unable to
publish dnskeys for zone example.com: error creating dnskey
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [zone] corrupted
backup file zone example.com: unable to publish dnskeys (General error)
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [engine] unable to
recover zone example.com from backup, performing full sign
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [signconf] zone
example.com signconf: RESIGN[PT7200S] REFRESH[PT259200S]
VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S]
NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S]
SERIAL[unixtime]
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [STATS]
example.com 1418724479 RR[count=61 time=0(sec)] NSEC3[count=60
time=0(sec)] RRSIG[new=112 reused=0 time=0(sec) avg=0(sig/sec)]
TOTAL[time=0(sec)]


> The key exist in both HSM and database. ods-hsmutil lists it:
> 
> root at debugsigner002:~# ods-hsmutil list | grep
> f81e4b2cb33eec780320b6ceeb6f6bb8
> Keyper                f81e4b2cb33eec780320b6ceeb6f6bb8  RSA/2048
> 
> ods-ksmutil shows it:
> 
> root at debugsigner002:~# ods-ksmutil key list -v
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition (to):  Size:   Algorithm:  CKA_ID:                          
> Repository:                       Keytag:
> XXX                              KSK           active    2016-01-16
> 09:49:45 (retire)   2048    8           f81e4b2cb33eec780320b6ceeb6f6bb8
>  Keyper                            6061
> XXX                              ZSK           active    2015-04-18
> 22:40:55 (retire)   1024    8           d2aa0ba9af0f41429d23ea387abb836a
>  Keyper
> 
> external tools - dnssec-keyfromlabel can use it.
> No other errors in the log.
> 
> Any ideas what's wrong? Suggestions what else to try?
> Thanks.
> 
> Emil
> 
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list