[Opendnssec-user] Key not found

Mark Elkins mje at posix.co.za
Tue Jun 10 13:05:12 UTC 2014


On Mon, 2014-06-09 at 15:47 +0200, David Peall wrote:
> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
> 
> > On 09/06/14 11:30, David Peall wrote:
> >> 
> >> But then:
> >> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
> >> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
> >> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
> >> 
> >> But: 
> >> ods-ksmutil key list --verbose
> >> Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
> >> <zone>                        KSK           publish   2014-06-10 02:17:13 (ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales                            15664
> >> 
> >> Is this because the key is not active? is this a bug?
> > Hi David,
> > 
> > The state of the key is not causing this... Does the signer run as the
> > same user/group as the enforcer?
> 
> Yes both the signer and enforcer run as the same user and group.
> 
> Regards
>> David Peall
> 


Just for fun, switched user to 'opendnssec' (the unix user)..
in conf.xml:
I have....
    <Enforcer>
        <Privileges>
            <User>opendnssec</User>
            <Group>opendnssec</Group>
        </Privileges>
-and-
    <Signer>
        <Privileges>
            <User>opendnssec</User>
            <Group>opendnssec</Group>
        </Privileges>


Can both list keys and create keys....

root at mjedev:/home/mje# su - opendnssec
opendnssec at mjedev:~$ id
uid=106(opendnssec) gid=111(netdev)
groups=111(netdev),998(nfast),999(softhsm)


opendnssec at mjedev:~$ ods-ksmutil key list --verbose
MySQL database schema set to: KASP
MySQL database user set to: kaspuser
MySQL database password set
Keys:
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
Repository:                       Keytag:
<zone>                          KSK           active    2015-05-29
07:53:46 (retire)   2048    8           4e75a05b5b65f8767d54ff2a303417c6
thales                            1244
[others deleted]


opendnssec at mjedev:~$ ods-ksmutil key generate --policy zacr-nsec3
--zonetotal 3 --interval 3D
Key sharing is Off
HSM opened successfully.
Info: 2 zone(s) found on policy "zacr-nsec3"
Info: Keys will actually be generated for a total of 3 zone(s) as
specified by zone total parameter
1 new KSK(s) (2048 bits) need to be created for policy zacr-nsec3:
keys_to_generate(1) = keys_needed(3) - keys_available(2).
1 new ZSK(s) (1024 bits) need to be created for policy zacr-nsec3:
keys_to_generate(1) = keys_needed(3) - keys_available(2).
*WARNING* This will create 1 KSKs (2048 bits) and 1 ZSKs (1024 bits)
Are you sure? [y/N] 
Y
Created KSK size: 2048, alg: 8 with id: 85d783cf86e25fe6c9bce3cbac1cf851
in repository: thales and database.
Created ZSK size: 1024, alg: 8 with id: 98559ea5bf30685356f4d51e1ca41346
in repository: thales and database.
all done! hsm_close result: 0


Any progress???

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140610/826a2bd4/attachment.bin>


More information about the Opendnssec-user mailing list