[Opendnssec-user] Missing keys and various other problems on 2.0

Berry A.W. van Halderen berry at nlnetlabs.nl
Fri Jun 22 13:33:16 UTC 2018 

On 06/22/2018 01:44 PM, Casper Gielen wrote:
> My main problem is that zones lose DNSKEYs and get stuk with unverifiable signatures.
> 
> # ods-enforcer key list --zone wiskundeoptiu.nl -v
> Keys:
> Zone:                 Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
> wiskundeoptiu.nl      KSK      retire    2018-06-20 15:14:02      2048  8          489db07082a644fcfa67f077627b7c7c LocalHSM    39466
> wiskundeoptiu.nl      ZSK      retire    2018-06-20 15:14:02      1024  8          2f3c7829c40248b5537b3cd09266678c LocalHSM    50226
> wiskundeoptiu.nl      KSK      active    2018-06-20 15:14:02      2048  8          758cc85fc16528184f32dbfab70663f6 LocalHSM    62161
> wiskundeoptiu.nl      ZSK      active    2018-06-20 15:14:02      1024  8          8472c2bac0dbfc86d3a687644a3ef4f5 LocalHSM    59790
> wiskundeoptiu.nl      ZSK      ready     2018-06-20 15:14:02      1024  8          3e97dcd131d9264cad2fb84676ade00e LocalHSM    28818

Either this is a transcript from two days ago, or indeed something is
stuck which (see later) might indeed be the case.


> # ods-enforcer key list --zone wiskundeoptiu.nl -d
> Keys:
> Zone:                 Key role:   DS:          DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
> wiskundeoptiu.nl      KSK         hidden       hidden       hidden       NA           0    0    489db07082a644fcfa67f077627b7c7c
> wiskundeoptiu.nl      ZSK         NA           hidden       NA           hidden       0    0    2f3c7829c40248b5537b3cd09266678c
> wiskundeoptiu.nl      KSK         omnipresent  omnipresent  omnipresent  NA           1    1    758cc85fc16528184f32dbfab70663f6
> wiskundeoptiu.nl      ZSK         NA           omnipresent  NA           omnipresent  1    1    8472c2bac0dbfc86d3a687644a3ef4f5
> wiskundeoptiu.nl      ZSK         NA           omnipresent  NA           rumoured     1    1    3e97dcd131d9264cad2fb84676ade00e
> 
> ZSK 50226 is still being used but it is not published in the zone.
> It used to be signed with KSK 39466 which is also missing.
> 
> The only reasonable root cause that I can think of is that for a while
> the enforcer was running as root instead of the 'opendnssec' user. I've changed
> that and made sure that the opendnssec-user is allowed to access the softhms2 files.

I'm giving a quick reply now, even though I've not analyzed your mail
further.  But your current remarks make sense and might already give
a resolution to the problem.

If you had previous been running OpenDNSSEC as root, the signconf.xml
file for the zone (normally located somewhere in a signconf directory
(typically /var/opendnssec/signconf/wiskundeoptiu.nl.xml).
Might have been written as the root user, and when later running as
a different user, OpenDNSSEC may then no longer be able to replace
this file.  The message for this might probably be overwhelmed by other
messages.  It will not re-try by itself, so what you need to do
is remove the files owned by root in the signconf directory and
then force to re-generate them by giving a "ods-enforcer enforce"
command to force inspecting the zones.

There is no feedback-loop from the signer to the enforcer,
which is one of the ideas to be placed in as (optional) feature.
What this means is that the enforcer will step through key roll
procedures regardless of wether the signer has actually picked
up the changes (in the signconf).  This will further lead to
problems because this means keys might actually be purged from
the HSM and the signer will then fail further on.

Could you check whether files are still owned by root?

\Berry

More information about the Opendnssec-user mailing list