[Opendnssec-user] Error allocating ksks / zsks

Havard Eidnes he at uninett.no
Thu Mar 10 13:12:00 UTC 2016


> If key_pair_id = 0 is indeed invalid, I guess the database has gotten
> into a state where OpenDNSSEC refuses to mend it automatically.
>
> Guidance sought.

Listing all the keys with "ods-ksmutil key list --verbose --all"
revealed:

NOT ALLOCATED                   KSK           generate  (not scheduled)     (publish)  2048    8           3b929d0ab308b4e1e8bf81abf1e6dafe  SoftHSM
NOT ALLOCATED                   ZSK           generate  (not scheduled)     (publish)  1024    8           b3c5b3d619c086f41f3f2ed440419f23  SoftHSM

Yes, that's an empty "key tag" field; all the others have a value
there (after the "SoftHSM" tag).  I wonder how it managed to get into
that state.  Let's try to delete these two and see how it goes...

ods @ hugin: {7} ods-ksmutil key delete --cka_id 3b929d0ab308b4e1e8bf81abf1e6dafe
Key delete successful: 3b929d0ab308b4e1e8bf81abf1e6dafe
ods @ hugin: {8} ods-ksmutil key delete --cka_id b3c5b3d619c086f41f3f2ed440419f23
Key delete successful: b3c5b3d619c086f41f3f2ed440419f23
ods @ hugin: {9}
ods @ hugin: {9} ods-control enforcer stop
Stopping enforcer...
ods @ hugin: {10} ods-control enforcer start
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.4.9), pid 17045
ods @ hugin: {11}

Hmm, definitely better:

Mar 10 14:04:01 hugin ods-enforcerd: 367 zone(s) found on policy "default" 
Mar 10 14:04:01 hugin ods-enforcerd: Predict we need 367 KSKs
Mar 10 14:04:01 hugin ods-enforcerd: Have 366 KSK keys in queue
Mar 10 14:04:01 hugin ods-enforcerd: Need 1 new KSK keys
Mar 10 14:04:01 hugin ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(367) - keys_available(366). 
Mar 10 14:04:01 hugin ods-enforcerd: Created key in repository SoftHSM
Mar 10 14:04:01 hugin ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 95ebe2949eeb84fac9eee71573347b96 in repository: SoftHSM and database.
Mar 10 14:04:01 hugin ods-enforcerd: Predict we need 367 new ZSK keys
Mar 10 14:04:01 hugin ods-enforcerd: Have 366 ZSK keys in queue
Mar 10 14:04:01 hugin ods-enforcerd: Need 1 new ZSK keys
Mar 10 14:04:01 hugin ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created for policy default: keys_to_generate(1) = keys_needed(367) - keys_available(366). 
Mar 10 14:04:01 hugin ods-enforcerd: Created key in repository SoftHSM
Mar 10 14:04:01 hugin ods-enforcerd: Created ZSK size: 1024, alg: 8 with id: ce16fcac12944304b81957d99c69a1fd in repository: SoftHSM and database.
Mar 10 14:04:01 hugin ods-enforcerd: NOTE: keys generated in repository SoftHSM will not become active until they have been backed up

and...

Mar 10 14:04:20 hugin ods-enforcerd: Zone mydomainname.no found.
Mar 10 14:04:20 hugin ods-enforcerd: Policy for mydomainname.no set to default.
Mar 10 14:04:20 hugin ods-enforcerd: Config will be output to /var/opendnssec/signconf/mydomainname.no.xml.
Mar 10 14:04:20 hugin ods-enforcerd: New unallocated keypair_id=2373
Mar 10 14:04:20 hugin ods-enforcerd: ZSK key allocation for zone mydomainname.no: 1 key(s) allocated 
Mar 10 14:04:20 hugin ods-enforcerd: New unallocated keypair_id=2372
Mar 10 14:04:20 hugin ods-enforcerd: KSK key allocation for zone mydomainname.no: 1 key(s) allocated 
Mar 10 14:04:20 hugin ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone
Mar 10 14:04:20 hugin ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set
Mar 10 14:04:20 hugin ods-enforcerd: KsmRequestKeys returned: 65562
Mar 10 14:04:20 hugin ods-enforcerd: Signconf not written for mydomainname.no
Mar 10 14:04:20 hugin ods-enforcerd: Disconnecting from Database...

and doing a SoftHSM backup and a "ods-control enforcer notify"
finally caused the domain to be signed.

Regards,

- Håvard



More information about the Opendnssec-user mailing list