[Opendnssec-user] Missing keys and various other problems on 2.0
Casper Gielen
C.Gielen at uvt.nl
Mon Jun 25 13:05:33 UTC 2018
Op 25-06-18 om 11:49 schreef Casper Gielen:
>
> I've verified that everything under /var/lib/opendnssec is readable and
> writable by the opendnssec user. The configuration, under
> /etc/opendnssec, is readable but not writable.
Minutes after I wrote this a colleague added a new zone (ucgv.nl) that immediately ran into trouble.
Unfortunately I do not have complete logging, this is what I do have:
Jun 25 11:15:49 ramachandra ods-enforcerd: [zonelist_import] zone ucgv.nl created
...
Jun 25 11:16:02 ramachandra ods-enforcerd: [enforcer] update zone: ucgv.nl
Jun 25 11:16:02 ramachandra ods-enforcerd: 199 zone(s) found on policy "sidn"
Jun 25 11:16:02 ramachandra ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 199 zones covering 31536000 seconds, generating 1 keys for policy sidn
Jun 25 11:16:02 ramachandra ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created.
Jun 25 11:16:02 ramachandra ods-enforcerd: 199 zone(s) found on policy "sidn"
Jun 25 11:16:02 ramachandra ods-enforcerd: [hsm_key_factory_generate] 13 keys needed for 199 zones covering 31536000 seconds, generating 1 keys for policy sidn
Jun 25 11:16:02 ramachandra ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created.
Jun 25 11:16:02 ramachandra ods-enforcerd: [signconf_cmd] performing signconf for all zones
Jun 25 11:16:02 ramachandra ods-enforcerd: [signconf_cmd] signconf done, notifying signer
...
Jun 25 11:30:17 ramachandra ods-signerd: [hsm] unable to get key: key a1d5274f2e3c73eb73ec99c16e781d0d not found
Jun 25 11:30:17 ramachandra ods-signerd: [hsm] hsm_get_dnskey(): Got NULL key
Jun 25 11:30:17 ramachandra ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
Jun 25 11:30:17 ramachandra ods-signerd: [zone] unable to prepare signing keys for zone ucgv.nl: error getting dnskey
Jun 25 11:30:17 ramachandra ods-signerd: [worker[1]] CRITICAL: failed to sign zone ucgv.nl: General error
root at ramachandra:~# ods-enforcer key list --zone ucgv.nl -v
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
ucgv.nl ZSK publish 2018-06-26 11:16:27 1024 8 991337c6e4aba10487ef75d8ca990668 LocalHSM 24390
root at ramachandra:~# ods-enforcer key list --zone ucgv.nl -d
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
ucgv.nl ZSK NA hidden NA rumoured 0 1 991337c6e4aba10487ef75d8ca990668
The log shows he followed our usual procedure to the tee.
I immediatly repeated his steps, except for a different domain name, but was unable to reproduce te problem.
The difference might be that I worked with a frehsly restarted ods-enforcer, while it had been running for three days straight when my colleague added the zone.
Jun 25 13:40:08 ramachandra ods-enforcerd: [zonelist_import] zone ucgvtest2.nl created
Jun 25 13:40:16 ramachandra ods-enforcerd: [enforcer] update zone: ucgvtest2.nl
Jun 25 13:40:16 ramachandra ods-enforcerd: [hsm_key_factory_get_key] key allocated
Jun 25 13:40:16 ramachandra ods-enforcerd: [scheduler] schedule task [hsmkeygen] for policy_key
Jun 25 13:40:16 ramachandra ods-enforcerd: [scheduler] signal now
Jun 25 13:40:16 ramachandra ods-enforcerd: [enforcer] updatePolicy: got new key from HSM
Jun 25 13:40:16 ramachandra ods-enforcerd: [worker[4]]: report for duty
Jun 25 13:40:16 ramachandra ods-enforcerd: [scheduler] SIGALRM set
Jun 25 13:40:16 ramachandra ods-enforcerd: [worker[4]] start working
Jun 25 13:40:16 ramachandra ods-enforcerd: [worker[4]]: perform task [hsmkeygen] for policy_key
Jun 25 13:40:16 ramachandra ods-enforcerd: SELECT policy.id, policy.rev, policy.name, policy.description, policy.signaturesResign, policy.signaturesRefresh, policy.signaturesJitter, policy.signaturesInceptionOffset, policy.signaturesValidityDefault, policy.signaturesValidityDenial, policy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl, policy.denialType, policy.denialOptout, policy.denialTtl, policy.denialResalt, policy.denialAlgorithm, policy.denialIterations, policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange, policy.keysTtl, policy.keysRetireSafety, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter, policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum, policy.zoneSoaSerial, policy.parentRegistrationDelay, policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl, policy.parentSoaMinimum, policy.passthrough FROM policy WHERE policy.id = ?
Jun 25 13:40:16 ramachandra ods-enforcerd: [hsm_key_factory_generate_task] generate for policy key [duration: 0]
Jun 25 13:40:16 ramachandra ods-enforcerd: [hsm_key_factory_generate] repository LocalHSM role KSK
Jun 25 13:40:16 ramachandra ods-enforcerd: SELECT COUNT(*) FROM hsmKey WHERE hsmKey.policyId = ? AND hsmKey.state = ? AND hsmKey.bits = ? AND hsmKey.algorithm = ? AND hsmKey.role = ? AND hsmKey.isRevoked = ? AND hsmKey.keyType = ? AND hsmKey.repository = ?
Jun 25 13:40:16 ramachandra ods-enforcerd: SELECT COUNT(*) FROM zone WHERE zone.policyId = ?
Jun 25 13:40:16 ramachandra ods-enforcerd: 200 zone(s) found on policy "sidn"
Jun 25 13:40:16 ramachandra ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 200 zones covering 31536000 seconds, generating 1 keys for policy sidn
Jun 25 13:40:16 ramachandra ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created.
Jun 25 13:40:16 ramachandra ods-enforcerd: [hsm_key_factory_generate] generated key 5ddcfb83faa841d034ee262586391216 successfully
Jun 25 13:40:16 ramachandra ods-enforcerd: [hsm_key_factory_generate_task] generate for policy key done
Jun 25 13:40:16 ramachandra ods-enforcerd: 200 zone(s) found on policy "sidn"
Jun 25 13:40:16 ramachandra ods-enforcerd: [hsm_key_factory_generate] 13 keys needed for 200 zones covering 31536000 seconds, generating 1 keys for policy sidn
Jun 25 13:40:16 ramachandra ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created.
Jun 25 13:40:17 ramachandra ods-enforcerd: [hsm_key_factory_generate] generated key e484bf43583403c1a1658c2c7e30d47b successfully
Jun 25 13:40:17 ramachandra ods-enforcerd: [hsm_key_factory_generate_task] generate for policy key done
Jun 25 13:40:17 ramachandra ods-enforcerd: [worker[2]] finished working
Jun 25 13:40:17 ramachandra ods-enforcerd: [worker[2]]: report for duty
Jun 25 13:40:17 ramachandra ods-enforcerd: SELECT keyDependency.id, keyDependency.rev, keyDependency.zoneId, keyDependency.fromKeyDataId, keyDependency.toKeyDataId, keyDependency.type FROM keyDependency WHERE keyDependency.zoneId = ?
Jun 25 13:40:17 ramachandra ods-enforcerd: SELECT keyState.id, keyState.rev, keyState.keyDataId, keyState.type, keyState.state, keyState.lastChange, keyState.minimize, keyState.ttl FROM keyState WHERE keyState.keyDataId = ?
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone: processing key 0c9c2506e33fe702c96f989bf78ab66f 4
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone: May KSK 0c9c2506e33fe702c96f989bf78ab66f DS in state hidden transition to rumoured?
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone: May KSK 0c9c2506e33fe702c96f989bf78ab66f DNSKEY in state hidden transition to rumoured?
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone Policy says we can (1/3)
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone: May KSK 0c9c2506e33fe702c96f989bf78ab66f RRSIGDNSKEY in state hidden transition to rumoured?
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone: processing key 68e476a72a0ab6e296dc309334276588 1
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone: May ZSK 68e476a72a0ab6e296dc309334276588 DNSKEY in state hidden transition to rumoured?
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone Policy says we can (1/3)
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone: May ZSK 68e476a72a0ab6e296dc309334276588 RRSIG in state rumoured transition to omnipresent?
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone Policy says we can (1/3)
Jun 25 13:40:17 ramachandra ods-enforcerd: [enforcer] updateZone DNSSEC says we can (2/3)
Jun 25 13:40:17 ramachandra ods-enforcerd: UPDATE keyData SET zoneId = ?, hsmKeyId = ?, algorithm = ?, inception = ?, role = ?, introducing = ?, shouldRevoke = ?, standby = ?, activeZsk = ?, publish = ?, activeKsk = ?, dsAtParent = ?, keytag = ?, minimize = ?, rev = ? WHERE keyData.id = ? AND keyData.rev = ?
Jun 25 13:40:17 ramachandra ods-enforcerd: UPDATE keyData SET zoneId = ?, hsmKeyId = ?, algorithm = ?, inception = ?, role = ?, introducing = ?, shouldRevoke = ?, standby = ?, activeZsk = ?, publish = ?, activeKsk = ?, dsAtParent = ?, keytag = ?, minimize = ?, rev = ? WHERE keyData.id = ? AND keyData.rev = ?
Jun 25 13:40:17 ramachandra ods-enforcerd: SELECT keyData.id, keyData.rev, keyData.zoneId, keyData.hsmKeyId, keyData.algorithm, keyData.inception, keyData.role, keyData.introducing, keyData.shouldRevoke, keyData.standby, keyData.activeZsk, keyData.publish, keyData.activeKsk, keyData.dsAtParent, keyData.keytag, keyData.minimize FROM keyData WHERE keyData.zoneId = ?
Jun 25 13:40:17 ramachandra ods-enforcerd: Next update for zone ucgvtest2.nl scheduled at Tue Jun 26 13:40:40 2018
root at ramachandra:~# ods-enforcer key list --zone ucgvtest2.nl -v
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
ucgvtest2.nl ZSK publish 2018-06-26 13:40:40 1024 8 68e476a72a0ab6e296dc309334276588 LocalHSM 14190
key list completed in 0 seconds.
root at ramachandra:~# ods-enforcer key list --zone ucgvtest2.nl -d
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
ucgvtest2.nl ZSK NA hidden NA rumoured 0 1 68e476a72a0ab6e296dc309334276588
Now I'm a bit miffed by these zones with a ZSK but without a KSK.
My original problem, the zone wiskundeoptiu.nl, remains, but the situation has been slightly improved
because some of the signatures have been replaced by signatures with the current ZSK.
I'm considering wether or not to edit the database directly to get the zone back in a workable condition by removing the problematic keys.
First I'm going to delete the zone ucgv.nl, which is not yet in use, and redo it in the hope that it magically works out this time.
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user
mailing list