[Opendnssec-user] Removing a zone-less key?

Havard Eidnes he at uninett.no
Fri Aug 16 15:16:23 UTC 2024 

Hi,

I'm running OpenDNSSEC 2.1.13 and SoftHSM 2.6.1.

For some reason or other, "ods-enforcer key list -v" has started
showing this particular key:

(null)                          KSK      unknown   now                      2048  13         43ff9e6e2c011cd6165f25aa7ac6db83 SoftHSM     45696

It appears that the presence of this key makes "ods-enforcer key
list -z <any-zone>" crash ods-enforcerd with a SEGV, because in
perform_keystate_list() it doesn't check the return value of
key_data_get_zone() (which has several return paths which return
NULL) and consequently ends up calling zone_db_name() with a NULL
argument (which returns NULL), and using that as the first
argument to strcmp(), with predictable results.

The question is: how do I convince OpenDNSSEC that it should
forget about this key?

One would have thought that "ods-enforcer key purge -p <policy>"
would get rid of it.  Not so.  This command essentially does:

  for all zones in policy
     for all keys belonging to this zone
        if key is "dead"
           remove key

and since this particular key is not attached to a zone, it does
not get purged.

To work around this rather annoying issue, I have concocted this
particular patch to OpenDNSSEC:

--- enforcer/src/keystate/keystate_list_cmd.c.orig      2024-08-16 14:50:50.834836266 +0000
+++ enforcer/src/keystate/keystate_list_cmd.c
@@ -199,7 +199,11 @@ perform_keystate_list(int sockfd, db_con
         hsmkey = key_data_get_hsm_key(key);
         key_data_cache_key_states(key);
         tchange = map_keytime(zone, key); /* allocs */
-        if ((printkey != NULL) && (!zonename || !strcmp(zone_db_name(zone), zonename)) && (!keytype || !strcasecmp(keytype,key_data_role_text(key))) && (!keystate || !strcasecmp(keystate, map_keystate(key))))
+        if ((printkey != NULL) && 
+           (!zonename || (zone && !strcmp(zone_db_name(zone), zonename))) && 
+           (!keytype || !strcasecmp(keytype,key_data_role_text(key))) && 
+           (!keystate || !strcasecmp(keystate, map_keystate(key)))
+          )
             (*printkey)(sockfd, zone, key, tchange, hsmkey);
         free(tchange);
         hsm_key_free(hsmkey);

which fixes the crash in ods-enforcerd, and does not print that
un-attached key when you list the keys for a specific zone.
However, the key remains inside OpenDNSSEC even though I think I
managed to delete it from SoftHSM using pkcs11-tool from the
opensc package.

"Help!"

Regards,

- Håvard

More information about the Opendnssec-user mailing list