[Opendnssec-user] Get "all" keys / export by CKA_ID
Casper Gielen
C.Gielen at uvt.nl
Tue Aug 14 11:16:38 UTC 2018
Hey guys,
I've been struggling with something that feels like it should be easy. I'm using ODS
I'd like ODS to give me a list of all keys that should be in the parent zone.
As far as I can tell this is a four step process:
First extract the CKA_ID's of the keys that have Pub == 1 from 'key list -d':
root at ramachandra:~# ods-enforcer key list --zone example.com --keytype ksk -d
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
example.com KSK unretentive unretentive unretentive NA 0 0 149b8a0b2bba19195208231d5bf0d6a5
example.com KSK omnipresent omnipresent omnipresent NA 1 1 550785d7a016b8814ec44ab61cedca2a
example.com KSK hidden rumoured rumoured NA 1 1 f9ed71a437624a79821582653086be78
-> 550785d7a016b8814ec44ab61cedca2a, f9ed71a437624a79821582653086be78
Second match the CKA_ID's from 'key list -d' with the output from 'key list -v' to get the KeyTags.
root at ramachandra:~# ods-enforcer key list --zone example.com -v
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
example.com KSK retire waiting for ds-gone 2048 8 149b8a0b2bba19195208231d5bf0d6a5 LocalHSM 43531
example.com KSK active 2018-08-14 13:12:55 2048 8 550785d7a016b8814ec44ab61cedca2a LocalHSM 57715
example.com KSK publish 2018-08-14 13:12:55 2048 8 f9ed71a437624a79821582653086be78 LocalHSM 28411
-> 57715, 28411
Thirdly match the KeyTags with the output from 'ods-enforcer key export' to get tot the actual key.
Finaly, repeat this steps for the various keystates ('publish ready active retire').
ods-enforcer key export --zone $zone --keytype ksk
example.com. 3600 IN DNSKEY 257 3 8 Aw...5shk= ;{id = 43531 (ksk), size = 2048b}
ods-enforcer key export --zone mijnuvt.nl --keytype ksk --keystate active
exmaple.com. 3600 IN DNSKEY 257 3 8 Aw...axPU= ;{id = 57715 (ksk), size = 2048b}
ods-enforcer key export --zone mijnuvt.nl --keytype ksk --keystate publish
example.com. 3600 IN DNSKEY 257 3 8 Aw...aHLc= ;{id = 10840 (ksk), size = 2048b}
-> Aw...axPU=, Aw...aHLc=
It seems way to complicated for something that. Am I overlooking something?
PS 1.
The way the terms 'active' and 'publish' are used is confusing to me.
The commnand 'ods-enforcer key list -d' has columns named 'Pub' and 'Act' that only
roughly correspond to the keystates named 'publish' and 'active'. I guess this is a
leftover from ODS 1.
PS 2.
By default 'ods-enforcer key export' shows only keys with keystate==retire.
That seems an odd choice.
PS 3.
I would have filed feature requests if I didn't have the feeling I'm doing something wrong.
Unless someone points out an easy solution I might file the following feature requests:
1. Add '--keytag' and '--cka_id' options to ods-export.
2. Make ods-export by default either export exactly those keys that should be published
in the parent zone or just every key known.
ods-enforcer key export --zone $zone --keytype ksk
-> Aw...axPU=, Aw...aHLc=
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user
mailing list