[Opendnssec-user] Signature failed to cryptographically verify

Jerry Lundström jerry at opendnssec.org
Mon Jun 2 10:56:43 UTC 2014

On mån, 2014-06-02 at 11:56 +0200, Gilles Massen wrote:
> Our key material is stored in an HSM (Keyper), we have a production
> HSM (which is fine) and an identical setup (with copies of the keys)
> as backup. And on the backup the signatures failed. I have no errors
> in the Keyper's logs, so it really looks as if one specific keys was
> corrupted. All other signatures are fine, so the obvious fix was to
> roll the keys, and now both systems are fine.
> One question that remains: has someone seen this kind of error? Is
> that something to be expected?

A corrupt key within Keyper would create invalid signatures and
OpenDNSSEC does not validate the information from the HSM, that was a
job for the auditor and now days we recommend other tools such as
validns to do this validation if needed.

How this happened might remain a mystery, corrupt data within the HSM,
unnoticed errors, who knows.

> And does OpenDNSSEC has by any chance a rough tool to create a sig
> with a given key referenced by the kasp.db?

Only thing that I can think off is that we have ods-hsmutil which can
generate a DNSKEY RR but you don't really have to have a specific
OpenDNSSEC tool for this. You can list the keys used for a zone and get
the CKA_ID which could be used by another tool that talks PKCS#11 to
generate signatures. I do not know of such a tool.

Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140602/f6daa06d/attachment.bin>

More information about the Opendnssec-user mailing list