[Opendnssec-user] Error allocating ksks / zsks
Kevin Thompson
sysadmin at antiduh.com
Thu Mar 10 23:24:42 UTC 2016
On 2016-03-10 08:12, Havard Eidnes wrote:
>> If key_pair_id = 0 is indeed invalid, I guess the database has gotten
>> into a state where OpenDNSSEC refuses to mend it automatically.
>>
>> Guidance sought.
>
> Listing all the keys with "ods-ksmutil key list --verbose --all"
> revealed:
>
> NOT ALLOCATED KSK generate (not
> scheduled) (publish) 2048 8
> 3b929d0ab308b4e1e8bf81abf1e6dafe SoftHSM
> NOT ALLOCATED ZSK generate (not
> scheduled) (publish) 1024 8
> b3c5b3d619c086f41f3f2ed440419f23 SoftHSM
I ran into a similar problem last night. Long ago, I had incorrectly
deleted a zone I was using for testing, resulting in a few keys I could
not delete, but were reported against the 'NOT ALLOCATED'. I found
myself unable to delete the key because it was in a 'publish' state for
a zone that no longer existed, so I left it.
Everything worked fine, until last night when my KSK finally rolled
over. The KSK that was previously active had a lower primary key than
the "NOT ALLOCATED" key, but my new KSK had a larger primary key.
When the rollover happend, signerd crashed. After restarting ODS, I was
unable to get it to publish a DNSKEY record for the new KSK on the
working domain, even though it was publishing the DS record for the key.
I started working on exporting the existing database so I could back it
up, wipe it, and restore it. This is when I noticed that `ods-ksmutil
key export --all` was writing out the first couple keys but when it got
to the "NOT ALLOCATED" key, it stopped; I don't have the exact error but
it was something along the lines of 'Error invalid index -1, stopping'.
I'm guessing that the DNSKEY for my new KSK wasn't being output to the
zone file because of this problem.
To fix it, I shut down ODS, opened the kasp.db file in sqlite and
deleted the busted key from the `keypairs` table. Lo and behold,
'ods-ksmutil key export' worked, and soon enough my zone finally had a
DNSKEY for my new KSK.
--Kevin Thompson
More information about the Opendnssec-user
mailing list