[Opendnssec-user] DNSKEY signature expired

Berry van Halderen berry at nlnetlabs.nl
Mon May 3 13:25:38 UTC 2021


On 2021-05-03 15:01, Colin Spensley via Opendnssec-user wrote:
> Thank you. I should have been more diligent/comprehensive previously.
> 
> The immediate error is that ods-signer does not find a key (id:
> ca7e41658c07917f82ca1a77794a235d) that it is expecting.
> 
> May  1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key:
> key ca7e41658c07917f82ca1a77794a235d not found
> May  1 05:35:11 my_server ods-signerd[1960]: [hsm] hsm_get_dnskey():
> Got NULL key
> May  1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key:
> hsm failed to create dnskey
> May  1 05:35:11 my_server ods-signerd[1960]: [zone] unable to prepare
> signing keys for zone my_domain.tld: error getting dnskey
> May  1 05:35:11 my_server ods-signerd[1960]: [worker[1]] CRITICAL:
> failed to sign zone my_domain.tld: General error
> May  1 05:35:11 my_server ods-signerd[1960]: back-off task [sign] for
> zone my_domain.tld with 3600 seconds
> 
> 
> Looking back through the logs however, this is because ods-enforcer
> purged that key from the HSM two weeks ago. The signconf file appears
> not to have been correspondingly updated though and is therefore now
> inconsistent. So I now have:-
> 
> In signconf/<my_domain.tld>.xml
> ------------------------
>     <Keys>
>       <TTL>PT1H</TTL>
>       <Key>
>         <Flags>257</Flags>
>         <Algorithm>13</Algorithm>
>         <Locator>4017f49c5510cd7747298b8cf5b07c63</Locator>
>         <KSK/>
>         <Publish/>
>       </Key>
>       <Key>
>         <Flags>256</Flags>
>         <Algorithm>13</Algorithm>
>         <Locator>ca7e41658c07917f82ca1a77794a235d</Locator>
>       </Key>
>       <Key>
>         <Flags>256</Flags>
>         <Algorithm>13</Algorithm>
>         <Locator>87fc66abfbe9fbb4f2eb97b02f31b0f9</Locator>
>         <ZSK/>
>         <Publish/>
>       </Key>
>     </Keys>
> 
> From ods-enforcer key list -d
> -----------------------------
> my_domain.tld                  KSK           omnipresent  omnipresent
> omnipresent  NA           1    1    4017f49c5510cd7747298b8cf5b07c63
> my_domain.tld                  ZSK           NA           omnipresent
> NA           omnipresent  1    1    87fc66abfbe9fbb4f2eb97b02f31b0f9
> 
> From log:
> ---------
> Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer] update zone:
> my_domain.tld
> Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer]
> removeDeadKeys deleting key: ca7e41658c07917f82ca1a77794a235d
> Apr 21 19:09:56 my_server ods-enforcerd[1936]:
> [hsm_key_factory_delete_key] looking for keys to purge from HSM
> Apr 21 19:09:56 my_server ods-enforcerd[1936]:
> [hsm_key_factory_get_key] removing key
> ca7e41658c07917f82ca1a77794a235d from HSM
> Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer]
> removeDeadKeys: keys deleted from HSM: 1
> Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer] update:
> key_data_update() failed
> Apr 21 19:09:57 my_server ods-enforcerd[1936]: [enforce_task] No
> changes to signconf file required for zone my_domain.tld
> 
> I'm guessing the significant error is the key_data_update failure and
> that it probably relates to the change made in 2.1.8.
> 
> I suspect that just manually forcing regeneration of the signconf
> would correct the immediate failure but, as this is occurring on a
> domain which is relatively unimportant for me, I would like to try to
> understand how/why the situation has arisen and how to correct it
> properly/elegantly. I'm also anxious to reassure myself that the same
> error is not about to occur on other, more critical zones.
> 

OpenDNSSEC 2.1.9 will come out today or early tomorrow with a fix for 
this issue.
Meanwhile you can upgrade to the release candidate for it.  This will 
fix the
issue.

https://dist.opendnssec.org/source/testing/opendnssec-2.1.9rc1.tar.gz

This issue has been reported lately on the list and you situation seems 
identical,
or at least resolves this issue.  Please let me know it it works for 
you, this
will expedite my work.

\Berry

> 
> 
> 
> 
> 
> On 03/05/2021 13:01, Berry van Halderen via Opendnssec-user wrote:
>> On 2021-05-03 13:39, Colin Spensley via Opendnssec-user wrote:
>>> I have a zone managed by OpenDNSSEC 2 which now is not resolved by
>>> validating resolvers. The reason appears to be that the RRSIG over 
>>> the
>>> DNSKEY RRset has been allowed to expire by ods-signer.
>>> 
>>> Ie. (crudely obfuscated):-
>>> 
>>>> my_domain.tld.        3600    IN    RRSIG    DNSKEY 13 3 3600 
>>>> 20210501213711 20210418073317 47867 my_domain.tld. 
>>>> BIzcTyvmGi/OcLaBdXMExes/iyHkrUC1qOhg4W4ybcjsS/zAXz65NJBa 
>>>> oojfCzX7gUo/DD9mXaMFZTyWm8iLpA==
>>> 
>>> The signer does run for the domain but does not regenerate this 
>>> signature.
>>> 
>>> Can anyone suggest what might be causing this error?
>>> 
>> 
>> Your log should provide more information.  There should be some 
>> logging lines, probably in /var/log/messages indicating that 
>> "ods-signer" has some error.  I would suggest a grep ods-signer 
>> /var/log/messages.
>> 
>> \Berry
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


More information about the Opendnssec-user mailing list