[Opendnssec-user] ods-enforcerd in error loop required manual ods-ksmutil hacking to get unstuck :(

Sat Sep 27 09:32:07 UTC 2014

> What was in the signconf.xml? Because
> if the ZSK was not configured there, the signer will happily sign the
> zone with just the KSK (if in signconf.xml of course).

I have the same problem. I had recently deleted a zone with:
$ ods-ksmutil zone delete --zone example.com

About 45 minutes later, for a different zone, it removed all the
signatures except those made by the KSK on the DNSKEY RRs. At the same
time it also removed the previous ZSK:

-simon.arlott.name.	10800	IN	RRSIG	SOA 10 3 10800 20141129152935 20140926191826 20648 simon.arlott.name. ...

-simon.arlott.name.	3600	IN	DNSKEY	256 3 10 ... ;{id = 20648 (zsk), size = 1280b}
+simon.arlott.name.	3600	IN	DNSKEY	256 3 10 ... ;{id = 42336 (zsk), size = 1280b}
 simon.arlott.name.	3600	IN	DNSKEY	257 3 10 ... ;{id = 27541 (ksk), size = 1536b}

> If the ZSK is in the signconf, but not in the HSM, the signer should
> barf.

The signconf is missing "<ZSK />":

                <Keys>
                        <TTL>PT3600S</TTL>
                        <Key>
                                <Flags>257</Flags>
                                <Algorithm>10</Algorithm>
                                <Locator>5e542722830a435d0d81147ac93abfdd</Locator>
                                <KSK />
                                <Publish />
                        </Key>

                        <Key>
                                <Flags>256</Flags>
                                <Algorithm>10</Algorithm>
                                <Locator>4b8a3da57795e718c29eb8c611d2fa1a</Locator>
                                <Publish />
                        </Key>

                </Keys>

That element is present for one of the keys in all my other zones except
this one. It looks like it has partially completed the ZSK rollover by
removing the previous key from the signconf.

I'm not sharing keys between zones.

Keys:
Zone:                           Keytype:      State:    Date of next transition:  CKA_ID:                           Repository:                       Keytag:
simon.arlott.name               KSK           active    2015-03-29 13:15:11       5e542722830a435d0d81147ac93abfdd  SoftHSM                           27541
simon.arlott.name               ZSK           publish   2014-09-28 02:16:10       4b8a3da57795e718c29eb8c611d2fa1a  SoftHSM                           42336

The key 4b8a3da57795e718c29eb8c611d2fa1a is present in the repository.

26 22:16:10 ods-enforcerd: WARNING: ZSK rollover for zone 'simon.arlott.name' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next

It now crashes the signer on every startup:

27 01:15:26 ods-signerd: [engine] signer started
27 01:15:27 ods-signerd: signer/rrset.c:157: rrset_recover: assertion flags failed

(I'm using OpenDNSSEC-1.3 r5980 from SVN so it looks like that issue
has been fixed in a future version.)

> - Matthijs

-- 
Simon Arlott

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2387 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140927/d124cd0f/attachment.bin>