[Opendnssec-user] Key not found
Mark Elkins
mje at posix.co.za
Tue Jun 10 13:05:12 UTC 2014
On Mon, 2014-06-09 at 15:47 +0200, David Peall wrote:
> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:
>
> > On 09/06/14 11:30, David Peall wrote:
> >>
> >> But then:
> >> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 not found
> >> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error creating dnskey
> >> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys (General error)
> >>
> >> But:
> >> ods-ksmutil key list --verbose
> >> Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
> >> <zone> KSK publish 2014-06-10 02:17:13 (ready) 2048 8 994410881c1e66e2d075ed1ed1756679 thales 15664
> >>
> >> Is this because the key is not active? is this a bug?
> > Hi David,
> >
> > The state of the key is not causing this... Does the signer run as the
> > same user/group as the enforcer?
>
> Yes both the signer and enforcer run as the same user and group.
>
> Regards
> —
> David Peall
>
Just for fun, switched user to 'opendnssec' (the unix user)..
in conf.xml:
I have....
<Enforcer>
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
-and-
<Signer>
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
Can both list keys and create keys....
root at mjedev:/home/mje# su - opendnssec
opendnssec at mjedev:~$ id
uid=106(opendnssec) gid=111(netdev)
groups=111(netdev),998(nfast),999(softhsm)
opendnssec at mjedev:~$ ods-ksmutil key list --verbose
MySQL database schema set to: KASP
MySQL database user set to: kaspuser
MySQL database password set
Keys:
Zone: Keytype: State: Date of next
transition (to): Size: Algorithm: CKA_ID:
Repository: Keytag:
<zone> KSK active 2015-05-29
07:53:46 (retire) 2048 8 4e75a05b5b65f8767d54ff2a303417c6
thales 1244
[others deleted]
opendnssec at mjedev:~$ ods-ksmutil key generate --policy zacr-nsec3
--zonetotal 3 --interval 3D
Key sharing is Off
HSM opened successfully.
Info: 2 zone(s) found on policy "zacr-nsec3"
Info: Keys will actually be generated for a total of 3 zone(s) as
specified by zone total parameter
1 new KSK(s) (2048 bits) need to be created for policy zacr-nsec3:
keys_to_generate(1) = keys_needed(3) - keys_available(2).
1 new ZSK(s) (1024 bits) need to be created for policy zacr-nsec3:
keys_to_generate(1) = keys_needed(3) - keys_available(2).
*WARNING* This will create 1 KSKs (2048 bits) and 1 ZSKs (1024 bits)
Are you sure? [y/N]
Y
Created KSK size: 2048, alg: 8 with id: 85d783cf86e25fe6c9bce3cbac1cf851
in repository: thales and database.
Created ZSK size: 1024, alg: 8 with id: 98559ea5bf30685356f4d51e1ca41346
in repository: thales and database.
all done! hsm_close result: 0
Any progress???
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140610/826a2bd4/attachment.bin>
More information about the Opendnssec-user
mailing list