[Opendnssec-user] Error allocating ksks / zsks

Havard Eidnes he at uninett.no
Wed Feb 3 08:26:26 UTC 2016 

> I also ran into this a couple of times. I "fixed" this by using the
> "ods-ksmutil key generate" command.

Hmm...  I'm wary of doing that, since the problem doesn't appear
to be that softhsm can't generate new keys (it does so just fine
for all the other zones we have), so I don't understand what
problem "ods-kemutil key generate" should fix.  Rather, the
problem appears to be a bug or at best a lack of robustness to
deal with "strange state" in the enforcer.

Looking a bit at the code, I find this comment at the top of
KsmKeyGetUnallocated:

/*+
 * KsmKeyGetUnallocated
 *
 * Description:
 *      Given a set of policy values get the next unallocated keypair
 *      Executes:
 *          select min(id) from keydata 
 *              where policy_id = policy_id 
 *                and securitymodule_id = sm 
 *                and size = bits 
 *                and algorithm = algorithm 
 *                and state is KSM_STATE_GENERATE
 *

so I worried that the key in the "generate" state for the
godegrep.no zone might mess things up (orphaned?), so it is now
history:

ods @ hugin: {12} ods-ksmutil key list --all --zone godegrep.no -v
SQLite database set to: /var/db/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
godegrep.no                     KSK           active    2015-12-13 15:12:43 (retire)   2048    8           3b9f49b93bece1c2e8f1f94ee8b6b4f7  SoftHSM                           51569
godegrep.no                     ZSK           retire    2015-12-29 09:45:48 (dead)     1024    8           13c2dafbfd19f837931efe5367b200e9  SoftHSM                           58015
godegrep.no                     ZSK           active    2016-01-07 04:30:48 (retire)   1024    8           76a7b62bcc80e9af6f57ef455bc483bf  SoftHSM                           31264
godegrep.no                     ZSK           generate  (not scheduled)     (publish)  1024    8           15e81adbc4a30ced30cf1bab8cb2b212  SoftHSM                           44994

ods @ hugin: {13} ods-ksmutil key delete --cka_id 15e81adbc4a30ced30cf1bab8cb2b212
Key delete successful: 15e81adbc4a30ced30cf1bab8cb2b212
ods @ hugin: {14} 

and I'll wait and see if this improves matters for this
particular zone.

However, the other zone I have this issue with doesn't have a key
in "generate" state, and also doesn't have two ZSKs, so I'm not
sure what's up with that particular problem.

Regards,

- Håvard

More information about the Opendnssec-user mailing list