[Opendnssec-user] Missing keys and various other problems on 2.0
Berry A.W. van Halderen
berry at nlnetlabs.nl
Fri Jun 22 13:33:16 UTC 2018
On 06/22/2018 01:44 PM, Casper Gielen wrote:
> My main problem is that zones lose DNSKEYs and get stuk with unverifiable signatures.
>
> # ods-enforcer key list --zone wiskundeoptiu.nl -v
> Keys:
> Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
> wiskundeoptiu.nl KSK retire 2018-06-20 15:14:02 2048 8 489db07082a644fcfa67f077627b7c7c LocalHSM 39466
> wiskundeoptiu.nl ZSK retire 2018-06-20 15:14:02 1024 8 2f3c7829c40248b5537b3cd09266678c LocalHSM 50226
> wiskundeoptiu.nl KSK active 2018-06-20 15:14:02 2048 8 758cc85fc16528184f32dbfab70663f6 LocalHSM 62161
> wiskundeoptiu.nl ZSK active 2018-06-20 15:14:02 1024 8 8472c2bac0dbfc86d3a687644a3ef4f5 LocalHSM 59790
> wiskundeoptiu.nl ZSK ready 2018-06-20 15:14:02 1024 8 3e97dcd131d9264cad2fb84676ade00e LocalHSM 28818
Either this is a transcript from two days ago, or indeed something is
stuck which (see later) might indeed be the case.
> # ods-enforcer key list --zone wiskundeoptiu.nl -d
> Keys:
> Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
> wiskundeoptiu.nl KSK hidden hidden hidden NA 0 0 489db07082a644fcfa67f077627b7c7c
> wiskundeoptiu.nl ZSK NA hidden NA hidden 0 0 2f3c7829c40248b5537b3cd09266678c
> wiskundeoptiu.nl KSK omnipresent omnipresent omnipresent NA 1 1 758cc85fc16528184f32dbfab70663f6
> wiskundeoptiu.nl ZSK NA omnipresent NA omnipresent 1 1 8472c2bac0dbfc86d3a687644a3ef4f5
> wiskundeoptiu.nl ZSK NA omnipresent NA rumoured 1 1 3e97dcd131d9264cad2fb84676ade00e
>
> ZSK 50226 is still being used but it is not published in the zone.
> It used to be signed with KSK 39466 which is also missing.
>
> The only reasonable root cause that I can think of is that for a while
> the enforcer was running as root instead of the 'opendnssec' user. I've changed
> that and made sure that the opendnssec-user is allowed to access the softhms2 files.
I'm giving a quick reply now, even though I've not analyzed your mail
further. But your current remarks make sense and might already give
a resolution to the problem.
If you had previous been running OpenDNSSEC as root, the signconf.xml
file for the zone (normally located somewhere in a signconf directory
(typically /var/opendnssec/signconf/wiskundeoptiu.nl.xml).
Might have been written as the root user, and when later running as
a different user, OpenDNSSEC may then no longer be able to replace
this file. The message for this might probably be overwhelmed by other
messages. It will not re-try by itself, so what you need to do
is remove the files owned by root in the signconf directory and
then force to re-generate them by giving a "ods-enforcer enforce"
command to force inspecting the zones.
There is no feedback-loop from the signer to the enforcer,
which is one of the ideas to be placed in as (optional) feature.
What this means is that the enforcer will step through key roll
procedures regardless of wether the signer has actually picked
up the changes (in the signconf). This will further lead to
problems because this means keys might actually be purged from
the HSM and the signer will then fail further on.
Could you check whether files are still owned by root?
\Berry
More information about the Opendnssec-user
mailing list