[Opendnssec-user] signer does not find a key
Matthijs Mekking
matthijs at pletterpet.nl
Tue Dec 16 10:18:04 UTC 2014
Hi Emil,
Short: I tried to simulate your use case (with SoftHSM, on
ubuntu-trusty-64 VM), but it seems to work for me. Perhaps I used
slightly different commands? Can you share your used commands?
Best regards,
Matthijs
Audit trail:
I started with Keys:
Zone: Keytype: State: Date of next transition:
example.com KSK publish 2014-12-16 23:55:02
example.com ZSK active 2015-03-16 09:55:02
On 16-12-14 08:54, Emil Natan wrote:
> Good morning,
>
> I have a test environment with ODS 1.4.6 and Keyper HSM where signing
> zones was working until I decided to remove all keys and start from scratch.
> I removed all keys with "ods-hsmutil purge"\
$ sudo ods-hsmutil purge SoftHSM
Purging all keys from repository: SoftHSM
2 keys found.
Are you sure you want to remove ALL keys from repository SoftHSM ?
(YES/NO) YES
Starting purge...
Key remove successful: 816416e1255a1724021895b531c0e313
Key remove successful: 615ef6c218cc6bc6d714a0742a07617b
Purge done.
> reinitialized the HSM\
Don't think this is necessary, but okay:
$ sudo softhsm --init-token --slot 0 --label "OpenDNSSEC"
The SO PIN must have a length between 4 and 255 characters.
Enter SO PIN:
The user PIN must have a length between 4 and 255 characters.
Enter user PIN:
The token has been initialized.
> removed the single zone I used to sign\
$ sudo ods-ksmutil zone delete --zone example.com
zonelist filename set to /etc/opendnssec/zonelist.xml.
Zone list updated: 1 removed, 0 added, 0 updated.
> reinitialized the database "ods-ksmutil setup"\
I think you should first stop the opendnssec service, but I will not do
that now:
$ sudo ods-ksmutil setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
fixing permissions on file /var/opendnssec/kasp.db
zonelist filename set to /etc/opendnssec/zonelist.xml.
kasp filename set to /etc/opendnssec/kasp.xml.
Repository SoftHSM found
No Maximum Capacity set.
RequireBackup NOT set; please make sure that you know the potential
problems of using keys which are not recoverable
INFO: The XML in /etc/opendnssec/conf.xml is valid
INFO: The XML in /etc/opendnssec/zonelist.xml is valid
INFO: The XML in /etc/opendnssec/kasp.xml is valid
WARNING: In policy default, Y used in duration field for Keys/KSK
Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as
365 days
WARNING: In policy lab, Y used in duration field for Keys/KSK Lifetime
(P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
Policy default found
Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted
as 365 days
Policy lab found
Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted
as 365 days
> pregenerated new keys\
But you have no zones currently (you removed the single zone)?
$ sudo ods-ksmutil key generate --policy default --interval P1Y
Key sharing is Off
Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted
as 365 days
HSM opened successfully.
Info: 0 zone(s) found on policy "default"
No zones on policy default, skipping...
> added a zone\
$ sudo ods-ksmutil zone add --zone example.com
zonelist filename set to /etc/opendnssec/zonelist.xml.
Imported zone: example.com
> updated, restarted all services.
$ sudo ods-control stop
Stopping enforcer...
Stopping signer engine...
Engine shut down.
$ sudo ods-control start
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.4.6), pid 28343
Starting signer engine...
OpenDNSSEC signer engine version 1.4.6
Engine running.
> Everything seems to worked well, but the signer does not find one of the
> keys to sign the zone, more specifically the KSK. I went the above
> process few times, always ending with:
>
> Dec 16 09:40:27 debugsigner002 ods-signerd: [hsm] unable to get key: key
> f81e4b2cb33eec780320b6ceeb6f6bb8 not found
> Dec 16 09:40:27 debugsigner002 ods-signerd: [zone] unable to publish
> dnskeys for zone XXX: error creating dnskey
> Dec 16 09:40:27 debugsigner002 ods-signerd: [tools] unable to read zone
> XXX: failed to publish dnskeys (General error)
> Dec 16 09:40:27 debugsigner002 ods-signerd: [worker[4]] CRITICAL: failed
> to sign zone XXX: General error
For me, it finds the old key in the
`/var/opendnssec/tmp/example.com.backup2` file and decides it is corrupted:
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [hsm] libhsm
connection opened succesfully
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [engine] signer
started (version 1.4.6), pid 28355
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [hsm] unable to
get key: key 615ef6c218cc6bc6d714a0742a07617b not found
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [zone] unable to
publish dnskeys for zone example.com: error creating dnskey
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [zone] corrupted
backup file zone example.com: unable to publish dnskeys (General error)
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [engine] unable to
recover zone example.com from backup, performing full sign
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [signconf] zone
example.com signconf: RESIGN[PT7200S] REFRESH[PT259200S]
VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S]
NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S]
SERIAL[unixtime]
Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [STATS]
example.com 1418724479 RR[count=61 time=0(sec)] NSEC3[count=60
time=0(sec)] RRSIG[new=112 reused=0 time=0(sec) avg=0(sig/sec)]
TOTAL[time=0(sec)]
> The key exist in both HSM and database. ods-hsmutil lists it:
>
> root at debugsigner002:~# ods-hsmutil list | grep
> f81e4b2cb33eec780320b6ceeb6f6bb8
> Keyper f81e4b2cb33eec780320b6ceeb6f6bb8 RSA/2048
>
> ods-ksmutil shows it:
>
> root at debugsigner002:~# ods-ksmutil key list -v
> Keys:
> Zone: Keytype: State: Date of next
> transition (to): Size: Algorithm: CKA_ID:
> Repository: Keytag:
> XXX KSK active 2016-01-16
> 09:49:45 (retire) 2048 8 f81e4b2cb33eec780320b6ceeb6f6bb8
> Keyper 6061
> XXX ZSK active 2015-04-18
> 22:40:55 (retire) 1024 8 d2aa0ba9af0f41429d23ea387abb836a
> Keyper
>
> external tools - dnssec-keyfromlabel can use it.
> No other errors in the log.
>
> Any ideas what's wrong? Suggestions what else to try?
> Thanks.
>
> Emil
>
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
More information about the Opendnssec-user
mailing list