[Opendnssec-user] keys NOT IN repository

Emil Natan shlyoko at gmail.com
Thu Dec 18 16:05:30 UTC 2014 

Hi Sion,

On Thu, Dec 18, 2014 at 4:52 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
>
> On 18/12/14 12:38, Emil Natan wrote:
> > Hello,
> >
> > Can someone please explain when and why keys are created "NOT IN
> > repository"?
>
> Hi Emil,
>
> Is there a chance that these keys were created and then deleted? That is
> the most likely scenario I can think of.
>
>
I do not think that's the case. I had this zone managed by ODS once, but
since then I wiped both the HSM and ODS database and the zone was commented
in zonelist.conf.
Today I enabled the zone and I see in the log file:

Dec 18 14:22:04 debugsigner002 ods-enforcerd: Key sharing is Off.
Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 zone(s) found on policy
"testpolicy"
Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 new KSK(s) (2048 bits) need
to be created for policy testpolicy: keys_to_generate(1) = keys_needed(1) -
keys_available(0).
Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created key in repository
Keyper
Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created KSK size: 2048, alg:
8 with id: 328387cdfb9fae6a5bf27082dc0b858b in repository: Keyper and
database.
Dec 18 14:22:16 debugsigner002 ods-enforcerd: 1 new ZSK(s) (1024 bits) need
to be created for policy testpolicy: keys_to_generate(1) = keys_needed(1) -
keys_available(0).
Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created key in repository
Keyper
Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created ZSK size: 1024, alg:
8 with id: 6833a76d1e0834504e43c1ae47b66646 in repository: Keyper and
database.
Dec 18 14:22:19 debugsigner002 ods-enforcerd: NOTE: keys generated in
repository Keyper will not become active until they have been backed up

It looks like the keys were just created.

Later in the log:

Dec 18 14:22:19 debugsigner002 ods-enforcerd: Zone w3c.org found.
Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy for w3c.org set to
testpolicy.
Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy testpolicy found in DB.
Dec 18 14:22:19 debugsigner002 ods-enforcerd: Config will be output to
/ods-data/var/opendnssec/signconf/w3c.org.xml.
Dec 18 14:22:19 debugsigner002 ods-enforcerd: ZSK key allocation for zone
w3c.org: 1 key(s) allocated
Dec 18 14:22:19 debugsigner002 ods-enforcerd: KSK key allocation for zone
w3c.org: 1 key(s) allocated
Dec 18 14:22:19 debugsigner002 ods-enforcerd: INFO: Promoting ZSK from
publish to active as this is the first pass for the zone
Dec 18 14:22:19 debugsigner002 ods-enforcerd: ERROR: Trying to make
non-backed up ZSK active when RequireBackup flag is set
Dec 18 14:22:19 debugsigner002 ods-enforcerd: KsmRequestKeys returned: 65562
Dec 18 14:22:19 debugsigner002 ods-enforcerd: Signconf not written for
w3c.org
Dec 18 14:22:19 debugsigner002 ods-enforcerd: Disconnecting from Database...

and later:

Dec 18 14:25:53 debugsigner002 ods-signerd: [hsm] unable to get key: key
328387cdfb9fae6a5bf27082dc0b858b not found
Dec 18 14:25:53 debugsigner002 ods-signerd: [zone] unable to publish
dnskeys for zone w3c.org: error creating dnskey
Dec 18 14:25:53 debugsigner002 ods-signerd: [tools] unable to read zone
w3c.org: failed to publish dnskeys (General error)
Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] CRITICAL: failed to
sign zone w3c.org: General error
Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] backoff task [read]
for zone w3c.org with 60 seconds
Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] finished working on
zone w3c.org.

And my question is if there was a problem to create the keys in the HSM,
why are they created out of it? Isn't it better if the process just stops?
And where the keys actually exist if not in the repository? They idea was
to use ODS always with HSM.
Thanks.

Emil


> If not, were any errors logged during key generation?
>
> Sion
>
> >
> > root at debugsigner002:~# ods-ksmutil key list --zone w3c.org
> > <http://w3c.org> -v
> > Zone:                           Keytype:      State:    Date of next
> > transition (to):  Size:   Algorithm:  CKA_ID:
> > Repository:                       Keytag:
> > w3c.org <http://w3c.org>                      KSK           publish
> > 2014-12-18 18:30:53 (ready)    2048    8
> > 328387cdfb9fae6a5bf27082dc0b858b  Keyper NOT IN repository
> > w3c.org <http://w3c.org>                      ZSK           active
> >  2015-04-21 14:25:53 (retire)   1024    8
> > 6833a76d1e0834504e43c1ae47b66646  Keyper NOT IN repository
> >
> > Thanks.
> > Emil
> >
> >
> > _______________________________________________
> > Opendnssec-user mailing list
> > Opendnssec-user at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> >
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141218/b288d2a5/attachment.htm>

More information about the Opendnssec-user mailing list