[Opendnssec-user] Key not found

Tue Jun 10 15:12:38 UTC 2014

Hi Mark and David,

All the problems you have reported points to issues with your HSM rather
then a problem with OpenDNSSEC.

OpenDNSSEC can not recover from a state where the key was successfully
created but is now missing in the HSM.

If this is a test environment then you should test your setup with SoftHSM
to just verify that your setup works and that there isnt any strange
hardware problem.

If this is your production environment I would suggest going unsigned until
these problems have been resolved.

I also suggest that you contact your HSM provider, maybe they can provide
you with tools to debug the HSM so you can begin to locate the issue.

Regards,
Jerry

-- 
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/

On 10 jun 2014, at 16:40, David Peall <david at dnservices.co.za> wrote:

Trying a key rollover I get the following:
ods-enforcerd: Key 85d783cf86e25fe6c9bce3cbac1cf851 in DB but not
repository.

Run as the opendnssec user:
ods-hsmutil list thales | grep 85d783cf86e25fe6c9bce3cbac1cf851
thales                85d783cf86e25fe6c9bce3cbac1cf851  RSA/2048

Something hinky going on?

Regards
—
David Peall

On 10 Jun 2014, at 4:22 PM, David Peall <david at dnservices.co.za> wrote:

Hi All

As Mark has said logged in as the signer user we are able to list the
“missing” key.

<zone>                        KSK           active    2015-06-10 15:19:39
(retire)   2048    8           994410881c1e66e2d075ed1ed1756679  thales
                           15664

Anything else we can try look for?

Regards

—

David Peall

On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:

On 09/06/14 11:30, David Peall wrote:

But then:

ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679
not found

ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error
creating dnskey

ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys
(General error)

But:

ods-ksmutil key list --verbose

Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
                          Repository:                       Keytag:

<zone>                        KSK           publish   2014-06-10 02:17:13
(ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales
                           15664

Is this because the key is not active? is this a bug?

Hi David,

The state of the key is not causing this... Does the signer run as the

same user/group as the enforcer?

Also get this:

ods-enforcerd: WARNING: KSK rollover for zone ‘<zone>' not completed as
there are no keys in the 'ready' state; ods-enforcerd will try again when
it runs next

This is just a warning that you have to wait for the KSK and signatures

to propagate before the key is considered "ACTIVE". The wording is not

ideal for the initial signing situation, but makes more sense when

describing subsequent rolls.

Sion

_______________________________________________

Opendnssec-user mailing list

Opendnssec-user at lists.opendnssec.org

https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

_______________________________________________

Opendnssec-user mailing list

Opendnssec-user at lists.opendnssec.org

https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140610/e1771007/attachment.htm>