[Opendnssec-user] keys NOT IN repository

Emil Natan shlyoko at gmail.com
Thu Dec 18 20:06:58 UTC 2014 

For the record, adding a new zone not previously managed by ODS works well
on the same setup, policy and all.

Emil

On Thu, Dec 18, 2014 at 6:05 PM, Emil Natan <shlyoko at gmail.com> wrote:
>
> Hi Sion,
>
> On Thu, Dec 18, 2014 at 4:52 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
>>
>> On 18/12/14 12:38, Emil Natan wrote:
>> > Hello,
>> >
>> > Can someone please explain when and why keys are created "NOT IN
>> > repository"?
>>
>> Hi Emil,
>>
>> Is there a chance that these keys were created and then deleted? That is
>> the most likely scenario I can think of.
>>
>>
> I do not think that's the case. I had this zone managed by ODS once, but
> since then I wiped both the HSM and ODS database and the zone was commented
> in zonelist.conf.
> Today I enabled the zone and I see in the log file:
>
> Dec 18 14:22:04 debugsigner002 ods-enforcerd: Key sharing is Off.
> Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 zone(s) found on policy
> "testpolicy"
> Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 new KSK(s) (2048 bits)
> need to be created for policy testpolicy: keys_to_generate(1) =
> keys_needed(1) - keys_available(0).
> Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created key in repository
> Keyper
> Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created KSK size: 2048, alg:
> 8 with id: 328387cdfb9fae6a5bf27082dc0b858b in repository: Keyper and
> database.
> Dec 18 14:22:16 debugsigner002 ods-enforcerd: 1 new ZSK(s) (1024 bits)
> need to be created for policy testpolicy: keys_to_generate(1) =
> keys_needed(1) - keys_available(0).
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created key in repository
> Keyper
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created ZSK size: 1024, alg:
> 8 with id: 6833a76d1e0834504e43c1ae47b66646 in repository: Keyper and
> database.
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: NOTE: keys generated in
> repository Keyper will not become active until they have been backed up
>
> It looks like the keys were just created.
>
> Later in the log:
>
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Zone w3c.org found.
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy for w3c.org set to
> testpolicy.
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy testpolicy found in
> DB.
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Config will be output to
> /ods-data/var/opendnssec/signconf/w3c.org.xml.
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: ZSK key allocation for zone
> w3c.org: 1 key(s) allocated
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: KSK key allocation for zone
> w3c.org: 1 key(s) allocated
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: INFO: Promoting ZSK from
> publish to active as this is the first pass for the zone
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: ERROR: Trying to make
> non-backed up ZSK active when RequireBackup flag is set
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: KsmRequestKeys returned:
> 65562
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Signconf not written for
> w3c.org
> Dec 18 14:22:19 debugsigner002 ods-enforcerd: Disconnecting from
> Database...
>
> and later:
>
> Dec 18 14:25:53 debugsigner002 ods-signerd: [hsm] unable to get key: key
> 328387cdfb9fae6a5bf27082dc0b858b not found
> Dec 18 14:25:53 debugsigner002 ods-signerd: [zone] unable to publish
> dnskeys for zone w3c.org: error creating dnskey
> Dec 18 14:25:53 debugsigner002 ods-signerd: [tools] unable to read zone
> w3c.org: failed to publish dnskeys (General error)
> Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] CRITICAL: failed
> to sign zone w3c.org: General error
> Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] backoff task
> [read] for zone w3c.org with 60 seconds
> Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] finished working
> on zone w3c.org.
>
> And my question is if there was a problem to create the keys in the HSM,
> why are they created out of it? Isn't it better if the process just stops?
> And where the keys actually exist if not in the repository? They idea was
> to use ODS always with HSM.
> Thanks.
>
> Emil
>
>
>> If not, were any errors logged during key generation?
>>
>> Sion
>>
>> >
>> > root at debugsigner002:~# ods-ksmutil key list --zone w3c.org
>> > <http://w3c.org> -v
>> > Zone:                           Keytype:      State:    Date of next
>> > transition (to):  Size:   Algorithm:  CKA_ID:
>> > Repository:                       Keytag:
>> > w3c.org <http://w3c.org>                      KSK           publish
>> > 2014-12-18 18:30:53 (ready)    2048    8
>> > 328387cdfb9fae6a5bf27082dc0b858b  Keyper NOT IN repository
>> > w3c.org <http://w3c.org>                      ZSK           active
>> >  2015-04-21 14:25:53 (retire)   1024    8
>> > 6833a76d1e0834504e43c1ae47b66646  Keyper NOT IN repository
>> >
>> > Thanks.
>> > Emil
>> >
>> >
>> > _______________________________________________
>> > Opendnssec-user mailing list
>> > Opendnssec-user at lists.opendnssec.org
>> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>> >
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141218/0b6f3cb6/attachment.htm>

More information about the Opendnssec-user mailing list