[Opendnssec-user] Missing keys and various other problems on 2.0

Casper Gielen C.Gielen at uvt.nl
Mon Jun 25 09:49:28 UTC 2018 

Op 22-06-18 om 15:33 schreef Berry A.W. van Halderen:
> On 06/22/2018 01:44 PM, Casper Gielen wrote:
>> My main problem is that zones lose DNSKEYs and get stuk with unverifiable signatures.
>>
>> # ods-enforcer key list --zone wiskundeoptiu.nl -v
>> Keys:
>> Zone:                 Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
>> wiskundeoptiu.nl      KSK      retire    2018-06-20 15:14:02      2048  8          489db07082a644fcfa67f077627b7c7c LocalHSM    39466
>> wiskundeoptiu.nl      ZSK      retire    2018-06-20 15:14:02      1024  8          2f3c7829c40248b5537b3cd09266678c LocalHSM    50226
>> wiskundeoptiu.nl      KSK      active    2018-06-20 15:14:02      2048  8          758cc85fc16528184f32dbfab70663f6 LocalHSM    62161
>> wiskundeoptiu.nl      ZSK      active    2018-06-20 15:14:02      1024  8          8472c2bac0dbfc86d3a687644a3ef4f5 LocalHSM    59790
>> wiskundeoptiu.nl      ZSK      ready     2018-06-20 15:14:02      1024  8          3e97dcd131d9264cad2fb84676ade00e LocalHSM    28818
> 
> Either this is a transcript from two days ago, or indeed something is
> stuck which (see later) might indeed be the case.

It is indeed a old data, although nothing really changed since other
than the date of next transition.

> If you had previous been running OpenDNSSEC as root, the signconf.xml
> file for the zone (normally located somewhere in a signconf directory
> (typically /var/opendnssec/signconf/wiskundeoptiu.nl.xml).
> Might have been written as the root user, and when later running as
> a different user, OpenDNSSEC may then no longer be able to replace
> this file.  

I've verified that everything under /var/lib/opendnssec is readable and
writable by the opendnssec user. The configuration, under
/etc/opendnssec, is readable but not writable.

> There is no feedback-loop from the signer to the enforcer,
> which is one of the ideas to be placed in as (optional) feature.
> What this means is that the enforcer will step through key roll
> procedures regardless of wether the signer has actually picked
> up the changes (in the signconf).  This will further lead to
> problems because this means keys might actually be purged from
> the HSM and the signer will then fail further on.

That's good to know. I guess this also means that if ODS server is not
available (eg powered off) for a few days that when it comes back online
it might take a big step forward?

Ik bring it up because when this problem first surfaced (at an
inconvenient time, as usual ;) ) I restored a backup from a few days
before so we could get through the weekend and then shutdown ODS>

In hindsight this might have caused problems when I turned it back on.

Thanks for you advice!

-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list