[Opendnssec-user] keys NOT IN repository

Emil Natan shlyoko at gmail.com
Fri Dec 19 16:17:35 UTC 2014


On Fri, Dec 19, 2014 at 10:37 AM, Siôn Lloyd <sion at nominet.org.uk> wrote:
>
> <snip>
>
> > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created key in repository
> > Keyper
> > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created ZSK size: 1024,
> > alg: 8 with id: 6833a76d1e0834504e43c1ae47b66646 in repository: Keyper
> > and database.
>
> <snip>
>
> > And my question is if there was a problem to create the keys in the HSM,
> > why are they created out of it? Isn't it better if the process just
> > stops? And where the keys actually exist if not in the repository? They
> > idea was to use ODS always with HSM.
> > Thanks.
>
> So it looks like the enforcer believed that the keys were properly
> created in the HSM. But then when it comes time to use the keys (either
> "key list -v" or signing) they can not be found...
>
> Note that the HSM is the _only_ place that the keys can be created;
> there is no fall-back to softHSM or keys on disk. So what this message
> means is that the enforcers database is referring to keys that do not
> exist at all. (Or at least the system can not access them for some reason.)
>
> Do other tools show if the keys exist or not?
>

I'm afraid we'll never know. I was using this zone for testing, when the
problems occurred I added a new zone which was never defined in ODS, key
generation and everything worked straight away and I decided to delete the
w3c.org zone (comment it in zonelist.xml) to keep the configuration and
logs clean. Adding w3c.org back made the keys properly generated and used
for signing. I'll update if I'm able to reproduce the issue.
And thanks for the general information about the key generation.

Emil

Sion
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141219/1130e136/attachment.htm>


More information about the Opendnssec-user mailing list