[Opendnssec-user] Re: enforcer-ng produces suspicious number of ZSKs

Petr Spacek pspacek at redhat.com
Tue Mar 11 17:17:25 UTC 2014 

On 11.3.2014 17:52, Petr Spacek wrote:
> Hello list,
>
> I'm playing with enforcer-ng and I have noticed that is generates suspicious
> number of ZSKs for my test zone.
>
> I have built enforcer-ng myself from git, HEAD
> d7ba5fa96bcd8e6e6744e89d11fa2da88f7572c7.
>
> I'm using SoftHSM v2 built from git, HEAD
> c893d407b789e81e2d9fab5b112cc59648ba644a. It is configured with "db" backend.
>
> My system is Fedora 20 x86_64.
>
> # ods-enforcer zone add --zone lab1.test.
> Imported zone: lab1.test. into database only. Use the --xml flag or run
> "ods-enforcer zonelist export" if an update of zonelist.xml is required.
> generating 1 KSKs of 2048 bits for policy 'default'.
> generating 2048 bit RSA key in repository: SoftHSM
> key generation successful: 7efdabae0433129e47649bb51ab2dbdb
> finished generating 2048 bit KSKs.
> generating 5 ZSKs of 1024 bits for policy 'default'.
> generating 1024 bit RSA key in repository: SoftHSM
> key generation successful: c9666dfba6f038118c196d181d12a9d7
> generating 1024 bit RSA key in repository: SoftHSM
> key generation successful: 281c2272fb0e720963f98a6b4bdae4d5
> generating 1024 bit RSA key in repository: SoftHSM
> key generation successful: 584cd0733d00beb4d4f97e6b2678accc
> generating 1024 bit RSA key in repository: SoftHSM
> key generation successful: 6b8e9baa08199537fda9a76134aa862c
> generating 1024 bit RSA key in repository: SoftHSM
> key generation successful: d1ab1dd54f4438c4c247df64bbb2320e
> finished generating 1024 bit ZSKs.
> no KSK keys of 2048 bits needed for policy 'lab'.
> no ZSK keys of 1024 bits needed for policy 'lab'.
> zone add completed in 15 seconds.
>
>
> # ods-hsmutil list
> Listing keys in all repositories.
> 6 keys found.
>
> Repository            ID                                Type
> ----------            --                                ----
> SoftHSM               584cd0733d00beb4d4f97e6b2678accc  RSA/1024
> SoftHSM               d1ab1dd54f4438c4c247df64bbb2320e  RSA/1024
> SoftHSM               7efdabae0433129e47649bb51ab2dbdb  RSA/2048
> SoftHSM               c9666dfba6f038118c196d181d12a9d7  RSA/1024
> SoftHSM               281c2272fb0e720963f98a6b4bdae4d5  RSA/1024
> SoftHSM               6b8e9baa08199537fda9a76134aa862c  RSA/1024
>
>
> # ods-enforcer key list --verbose
> Keys:
> Zone:                           Keytype: State:    Date of next transition:
> Size: Algorithm: CKA_ID:                          Repository: KeyTag:
> lab1.test.                      KSK      generate  2014-03-13 05:35:24 2048
> 8          7efdabae0433129e47649bb51ab2dbdb SoftHSM     53104
> lab1.test.                      ZSK      publish   2014-03-13 05:35:24 1024
> 8          c9666dfba6f038118c196d181d12a9d7 SoftHSM     20835
>
>
> Is it a bug? Or did I misunderstood KASP? (attached)

Now I'm pretty sure that it is a bug: 2190 ZSKs is really too much :-)

# ods-enforcer zone add --zone lab1.test. --policy lab
Imported zone: lab1.test. into database only. Use the --xml flag or run 
"ods-enforcer zonelist export" if an update of zonelist.xml is required.
no KSK keys of 2048 bits needed for policy 'default'.
no ZSK keys of 1024 bits needed for policy 'default'.
generating 1 KSKs of 2048 bits for policy 'lab'.
generating 2048 bit RSA key in repository: SoftHSM
key generation successful: c7af790f81b1f24f60d0b553e19edf25
finished generating 2048 bit KSKs.
generating 2190 ZSKs of 1024 bits for policy 'lab'.
generating 1024 bit RSA key in repository: SoftHSM


As a side-effect, I have found another bug (I guess):
I have terminated ods-enforcer from the previous example with SIGINT (Ctrl+C) 
because I was impatient and not willing to wait for 2190 new ZSKs.

After that, I tried to run "zone add" again to see if the number of ZSKs 
changes again:

# ods-enforcer zone add --zone lab2.test. --policy lab
Imported zone: lab2.test. into database only. Use the --xml flag or run 
"ods-enforcer zonelist export" if an update of zonelist.xml is required.
no KSK keys of 2048 bits needed for policy 'default'.
no ZSK keys of 1024 bits needed for policy 'default'.
generating 1 KSKs of 2048 bits for policy 'lab'.
generating 2048 bit RSA key in repository: SoftHSM
error: key generation failed
error: unable to generate a KSK of 2048 bits
error: generating KSKs failed
generating 4324 ZSKs of 1024 bits for policy 'lab'.
error: could not connect to HSM
error: unable to generate a ZSK of 1024 bits
error: generating ZSKs failed
zone add completed in 3 seconds.

System journal showed me this (everything came from ods-enforcerd daemon):
[zone_add_task] added Zone: lab2.test.
DBObject.cpp(1147): Transaction in database is already active.
[hsmkey_gen_task] key generation failed
[hsmkey_gen_task] unable to generate a KSK of 2048 bits
[hsmkey_gen_task] generating KSKs failed
DB.cpp(63): SQLITE3: cannot start a transaction within a transaction (1)
DBToken.cpp(550): Unable to start a transaction for updating the SOPIN and 
TOKENFLAGS in token database at 
"/var/lib/softhsm/tokens//d04b9d46-4818-3b48-3b1d-df4bd4c3986e/sqlite3.db"
Token.cpp(424): Could not get the token flags
[hsmkey_gen_task] could not connect to HSM
[hsmkey_gen_task] unable to generate a ZSK of 1024 bits
[hsmkey_gen_task] generating ZSKs failed
[enforce_task] Updating all zones that need require action
[enforcer] update Zone: lab1.test.
[enforcer] updatePolicy error calculating keytag
[enforcer] update Zone: lab2.test.
[enforcer] updatePolicy No keys available on hsm for policy lab, retry in 60 
seconds
[enforce_task] Completed updating all zones that need required action

-- 
Petr Spacek  @  Red Hat

More information about the Opendnssec-user mailing list