On mån, 2014-06-02 at 11:56 +0200, Gilles Massen wrote: > Our key material is stored in an HSM (Keyper), we have a production > HSM (which is fine) and an identical setup (with copies of the keys) > as backup. And on the backup the signatures failed. I have no errors > in the Keyper's logs, so it really looks as if one specific keys was > corrupted. All other signatures are fine, so the obvious fix was to > roll the keys, and now both systems are fine. > > One question that remains: has someone seen this kind of error? Is > that something to be expected?
A corrupt key within Keyper would create invalid signatures and OpenDNSSEC does not validate the information from the HSM, that was a job for the auditor and now days we recommend other tools such as validns to do this validation if needed. How this happened might remain a mystery, corrupt data within the HSM, unnoticed errors, who knows. > And does OpenDNSSEC has by any chance a rough tool to create a sig > with a given key referenced by the kasp.db? Only thing that I can think off is that we have ods-hsmutil which can generate a DNSKEY RR but you don't really have to have a specific OpenDNSSEC tool for this. You can list the keys used for a zone and get the CKA_ID which could be used by another tool that talks PKCS#11 to generate signatures. I do not know of such a tool. -- Jerry Lundström - OpenDNSSEC Developer http://www.opendnssec.org/
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
