[Opendnssec-user] Signature failed to cryptographically verify

Emil Natan shlyoko at gmail.com
Mon Jun 2 11:15:11 UTC 2014

On Mon, Jun 2, 2014 at 1:56 PM, Jerry Lundström <jerry at opendnssec.org>

> On mån, 2014-06-02 at 11:56 +0200, Gilles Massen wrote:
> > Our key material is stored in an HSM (Keyper), we have a production
> > HSM (which is fine) and an identical setup (with copies of the keys)
> > as backup. And on the backup the signatures failed. I have no errors
> > in the Keyper's logs, so it really looks as if one specific keys was
> > corrupted. All other signatures are fine, so the obvious fix was to
> > roll the keys, and now both systems are fine.
> >
> > One question that remains: has someone seen this kind of error? Is
> > that something to be expected?
> A corrupt key within Keyper would create invalid signatures and
> OpenDNSSEC does not validate the information from the HSM, that was a
> job for the auditor and now days we recommend other tools such as
> validns to do this validation if needed.
> How this happened might remain a mystery, corrupt data within the HSM,
> unnoticed errors, who knows.
> > And does OpenDNSSEC has by any chance a rough tool to create a sig
> > with a given key referenced by the kasp.db?
> Only thing that I can think off is that we have ods-hsmutil which can
> generate a DNSKEY RR but you don't really have to have a specific
> OpenDNSSEC tool for this. You can list the keys used for a zone and get
> the CKA_ID which could be used by another tool that talks PKCS#11 to
> generate signatures. I do not know of such a tool.
> I use ods-ksmutil key list to obtain the CKA_ID for all keys for a zone,
then dnssec-keyfromlabel to create the files with metadata for these keys,
store the files in a temp directory and then I use dnssec-signzone (-S) to
actually sign the zone. For the most simple scenario when there are only
two active keys, ZSK and KSK, I run dnssec-keyfromlabel twice with
different options to correctly create the ZSK and KSK files. In the middle
of rollover or when using stand-by keys, I use dnssec-keyfromlabel few
times, to create all needed key files.


> --
> Jerry Lundström - OpenDNSSEC Developer
> http://www.opendnssec.org/
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140602/8947ff34/attachment.htm>

More information about the Opendnssec-user mailing list