[Opendnssec-user] Expected behavior when changing zone policy and problem with key generation

Sebastian Wiesinger sebastian at karotte.org
Tue Jul 28 06:44:25 UTC 2015 

Hello,

I'm just testing OpenDNSSEC for deployment and I noticed two strange
things. I'm using a test zone to play around with settings and see how
ODS behaves.

I had the zone running on the 'lab' policy and changed it to the
'default' policy. I *expected* that the zone would be reconfigured to
the new timers etc.

Instead what happened was that all keys for the zone were deleted and
new keys were created instantly. This would have been disastrous in
production:


Jul 27 15:23:54 alita ods-enforcerd: 1 zone(s) found on policy "default"
Jul 27 15:23:54 alita ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(1) - keys_available(0).
Jul 27 15:23:54 alita ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated
Jul 27 15:23:54 alita ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Jul 27 15:23:54 alita ods-enforcerd: Created key in repository SoftHSM
Jul 27 15:23:54 alita ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 6b18ac63e33ceb87daa22b7aa946671a in repository: SoftHSM and database.
Jul 27 15:23:54 alita ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(1) - keys_available(0).
Jul 27 15:23:55 alita ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated
Jul 27 15:23:55 alita ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Jul 27 15:23:55 alita ods-enforcerd: Created key in repository SoftHSM
Jul 27 15:23:55 alita ods-enforcerd: Created ZSK size: 1024, alg: 8 with id: 8d2753a64bde1a77512f8a8fbdc2174a in repository: SoftHSM and database.
Jul 27 15:23:55 alita ods-enforcerd: Purging keys...
Jul 27 15:23:55 alita ods-enforcerd: Policy lab found.
Jul 27 15:23:55 alita ods-enforcerd: Key sharing is Off.
Jul 27 15:23:55 alita ods-enforcerd: No zones on policy lab, skipping...
Jul 27 15:23:55 alita ods-enforcerd: Purging keys...
Jul 27 15:23:55 alita ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml.
Jul 27 15:23:55 alita ods-enforcerd: Zone dnssec-test.intern found.
Jul 27 15:23:55 alita ods-enforcerd: Policy for dnssec-test.intern set to default.
Jul 27 15:23:55 alita ods-enforcerd: Policy default found in DB.
Jul 27 15:23:55 alita ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/dnssec-test.intern.xml.
Jul 27 15:23:55 alita ods-enforcerd: ZSK key allocation for zone dnssec-test.intern: 1 key(s) allocated

Is this expected behavior when changing policies? The keys for policy
'lab' and 'default' have the same algorithms and key lengths.


I proceeded to do some policy changes and removed/added the zone a few
times because I wanted a fresh start with new keys.

When adding the zone I noticed that no keys were generated for the
zone:

Jul 27 16:32:16 alita ods-enforcerd: 1 zone(s) found on policy "default"
Jul 27 16:32:16 alita ods-enforcerd: No new KSKs need to be created.
Jul 27 16:32:16 alita ods-enforcerd: No new ZSKs need to be created.
Jul 27 16:32:16 alita ods-enforcerd: Purging keys...
Jul 27 16:32:16 alita ods-enforcerd: Policy lab found.
Jul 27 16:32:16 alita ods-enforcerd: Key sharing is Off.
Jul 27 16:32:16 alita ods-enforcerd: No zones on policy lab, skipping...
Jul 27 16:32:16 alita ods-enforcerd: Purging keys...
Jul 27 16:32:16 alita ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml.
Jul 27 16:32:16 alita ods-enforcerd: Zone dnssec-test.intern found.
Jul 27 16:32:16 alita ods-enforcerd: Policy for dnssec-test.intern set to default.
Jul 27 16:32:16 alita ods-enforcerd: Policy default found in DB.
Jul 27 16:32:16 alita ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/dnssec-test.intern.xml.
Jul 27 16:32:16 alita ods-enforcerd: Not enough keys to satisfy zsk policy for zone: dnssec-test.intern. keys_to_allocate(1) = keys_needed(1) - (keys_available(0) - keys_pending_retirement(0))
Jul 27 16:32:16 alita ods-enforcerd: Tried to allocate 1 keys, failed on allocating key number 1
Jul 27 16:32:16 alita ods-enforcerd: ods-enforcerd will create some more keys on its next run
Jul 27 16:32:16 alita ods-enforcerd: Error allocating zsks to zone dnssec-test.intern
Jul 27 16:32:16 alita ods-enforcerd: Disconnecting from Database...
Jul 27 16:32:16 alita ods-enforcerd: Sleeping for 3600 seconds.

<ManualKeyGeneration/> was *NOT* active.

The only way I could make key generation work again was to copy the
default policy to a new policy (called 'std-nsec'). After doing that
and removing/adding the zone to this new policy key generation worked
as expacted.

I must say I find it a bit confusing which setting come from the XML
files and which states are in the MySQL Database. :( Stuff gets synced
to the database and sometimes stuff only gets picked up by restarting
the daemons?

Perhaps someone here can shine some light on these problem and tell me
where I got it wrong.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

More information about the Opendnssec-user mailing list