[Opendnssec-user] DNSKEY signature expired

Colin Spensley odsu at c20.ksac.uk
Mon May 3 13:01:20 UTC 2021 

Thank you. I should have been more diligent/comprehensive previously.

The immediate error is that ods-signer does not find a key (id: 
ca7e41658c07917f82ca1a77794a235d) that it is expecting.

May  1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key: 
key ca7e41658c07917f82ca1a77794a235d not found
May  1 05:35:11 my_server ods-signerd[1960]: [hsm] hsm_get_dnskey(): Got 
NULL key
May  1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key: 
hsm failed to create dnskey
May  1 05:35:11 my_server ods-signerd[1960]: [zone] unable to prepare 
signing keys for zone my_domain.tld: error getting dnskey
May  1 05:35:11 my_server ods-signerd[1960]: [worker[1]] CRITICAL: 
failed to sign zone my_domain.tld: General error
May  1 05:35:11 my_server ods-signerd[1960]: back-off task [sign] for 
zone my_domain.tld with 3600 seconds


Looking back through the logs however, this is because ods-enforcer 
purged that key from the HSM two weeks ago. The signconf file appears 
not to have been correspondingly updated though and is therefore now 
inconsistent. So I now have:-

In signconf/<my_domain.tld>.xml
------------------------
     <Keys>
       <TTL>PT1H</TTL>
       <Key>
         <Flags>257</Flags>
         <Algorithm>13</Algorithm>
         <Locator>4017f49c5510cd7747298b8cf5b07c63</Locator>
         <KSK/>
         <Publish/>
       </Key>
       <Key>
         <Flags>256</Flags>
         <Algorithm>13</Algorithm>
         <Locator>ca7e41658c07917f82ca1a77794a235d</Locator>
       </Key>
       <Key>
         <Flags>256</Flags>
         <Algorithm>13</Algorithm>
         <Locator>87fc66abfbe9fbb4f2eb97b02f31b0f9</Locator>
         <ZSK/>
         <Publish/>
       </Key>
     </Keys>

 From ods-enforcer key list -d
-----------------------------
my_domain.tld                  KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    4017f49c5510cd7747298b8cf5b07c63
my_domain.tld                  ZSK           NA           omnipresent 
NA           omnipresent  1    1    87fc66abfbe9fbb4f2eb97b02f31b0f9

 From log:
---------
Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer] update zone: 
my_domain.tld
Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer] removeDeadKeys 
deleting key: ca7e41658c07917f82ca1a77794a235d
Apr 21 19:09:56 my_server ods-enforcerd[1936]: 
[hsm_key_factory_delete_key] looking for keys to purge from HSM
Apr 21 19:09:56 my_server ods-enforcerd[1936]: [hsm_key_factory_get_key] 
removing key ca7e41658c07917f82ca1a77794a235d from HSM
Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer] 
removeDeadKeys: keys deleted from HSM: 1
Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer] update: 
key_data_update() failed
Apr 21 19:09:57 my_server ods-enforcerd[1936]: [enforce_task] No changes 
to signconf file required for zone my_domain.tld

I'm guessing the significant error is the key_data_update failure and 
that it probably relates to the change made in 2.1.8.

I suspect that just manually forcing regeneration of the signconf would 
correct the immediate failure but, as this is occurring on a domain 
which is relatively unimportant for me, I would like to try to 
understand how/why the situation has arisen and how to correct it 
properly/elegantly. I'm also anxious to reassure myself that the same 
error is not about to occur on other, more critical zones.

Colin








On 03/05/2021 13:01, Berry van Halderen via Opendnssec-user wrote:
> On 2021-05-03 13:39, Colin Spensley via Opendnssec-user wrote:
>> I have a zone managed by OpenDNSSEC 2 which now is not resolved by
>> validating resolvers. The reason appears to be that the RRSIG over the
>> DNSKEY RRset has been allowed to expire by ods-signer.
>>
>> Ie. (crudely obfuscated):-
>>
>>> my_domain.tld.        3600    IN    RRSIG    DNSKEY 13 3 3600 
>>> 20210501213711 20210418073317 47867 my_domain.tld. 
>>> BIzcTyvmGi/OcLaBdXMExes/iyHkrUC1qOhg4W4ybcjsS/zAXz65NJBa 
>>> oojfCzX7gUo/DD9mXaMFZTyWm8iLpA==
>>
>> The signer does run for the domain but does not regenerate this 
>> signature.
>>
>> Can anyone suggest what might be causing this error?
>>
> 
> Your log should provide more information.  There should be some logging 
> lines, probably in /var/log/messages indicating that "ods-signer" has 
> some error.  I would suggest a grep ods-signer /var/log/messages.
> 
> \Berry
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list