[Opendnssec-user] Missing keys and various other problems on 2.0
C.Gielen at uvt.nl
Mon Jun 25 09:49:28 UTC 2018
Op 22-06-18 om 15:33 schreef Berry A.W. van Halderen:
> On 06/22/2018 01:44 PM, Casper Gielen wrote:
>> My main problem is that zones lose DNSKEYs and get stuk with unverifiable signatures.
>> # ods-enforcer key list --zone wiskundeoptiu.nl -v
>> Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
>> wiskundeoptiu.nl KSK retire 2018-06-20 15:14:02 2048 8 489db07082a644fcfa67f077627b7c7c LocalHSM 39466
>> wiskundeoptiu.nl ZSK retire 2018-06-20 15:14:02 1024 8 2f3c7829c40248b5537b3cd09266678c LocalHSM 50226
>> wiskundeoptiu.nl KSK active 2018-06-20 15:14:02 2048 8 758cc85fc16528184f32dbfab70663f6 LocalHSM 62161
>> wiskundeoptiu.nl ZSK active 2018-06-20 15:14:02 1024 8 8472c2bac0dbfc86d3a687644a3ef4f5 LocalHSM 59790
>> wiskundeoptiu.nl ZSK ready 2018-06-20 15:14:02 1024 8 3e97dcd131d9264cad2fb84676ade00e LocalHSM 28818
> Either this is a transcript from two days ago, or indeed something is
> stuck which (see later) might indeed be the case.
It is indeed a old data, although nothing really changed since other
than the date of next transition.
> If you had previous been running OpenDNSSEC as root, the signconf.xml
> file for the zone (normally located somewhere in a signconf directory
> (typically /var/opendnssec/signconf/wiskundeoptiu.nl.xml).
> Might have been written as the root user, and when later running as
> a different user, OpenDNSSEC may then no longer be able to replace
> this file.
I've verified that everything under /var/lib/opendnssec is readable and
writable by the opendnssec user. The configuration, under
/etc/opendnssec, is readable but not writable.
> There is no feedback-loop from the signer to the enforcer,
> which is one of the ideas to be placed in as (optional) feature.
> What this means is that the enforcer will step through key roll
> procedures regardless of wether the signer has actually picked
> up the changes (in the signconf). This will further lead to
> problems because this means keys might actually be purged from
> the HSM and the signer will then fail further on.
That's good to know. I guess this also means that if ODS server is not
available (eg powered off) for a few days that when it comes back online
it might take a big step forward?
Ik bring it up because when this problem first surfaced (at an
inconvenient time, as usual ;) ) I restored a backup from a few days
before so we could get through the weekend and then shutdown ODS>
In hindsight this might have caused problems when I turned it back on.
Thanks for you advice!
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user