On Mon, Jun 2, 2014 at 1:56 PM, Jerry Lundström <[email protected]> wrote:
> On mån, 2014-06-02 at 11:56 +0200, Gilles Massen wrote: > > Our key material is stored in an HSM (Keyper), we have a production > > HSM (which is fine) and an identical setup (with copies of the keys) > > as backup. And on the backup the signatures failed. I have no errors > > in the Keyper's logs, so it really looks as if one specific keys was > > corrupted. All other signatures are fine, so the obvious fix was to > > roll the keys, and now both systems are fine. > > > > One question that remains: has someone seen this kind of error? Is > > that something to be expected? > > A corrupt key within Keyper would create invalid signatures and > OpenDNSSEC does not validate the information from the HSM, that was a > job for the auditor and now days we recommend other tools such as > validns to do this validation if needed. > > How this happened might remain a mystery, corrupt data within the HSM, > unnoticed errors, who knows. > > > And does OpenDNSSEC has by any chance a rough tool to create a sig > > with a given key referenced by the kasp.db? > > Only thing that I can think off is that we have ods-hsmutil which can > generate a DNSKEY RR but you don't really have to have a specific > OpenDNSSEC tool for this. You can list the keys used for a zone and get > the CKA_ID which could be used by another tool that talks PKCS#11 to > generate signatures. I do not know of such a tool. > > I use ods-ksmutil key list to obtain the CKA_ID for all keys for a zone, then dnssec-keyfromlabel to create the files with metadata for these keys, store the files in a temp directory and then I use dnssec-signzone (-S) to actually sign the zone. For the most simple scenario when there are only two active keys, ZSK and KSK, I run dnssec-keyfromlabel twice with different options to correctly create the ZSK and KSK files. In the middle of rollover or when using stand-by keys, I use dnssec-keyfromlabel few times, to create all needed key files. Emil > -- > Jerry Lundström - OpenDNSSEC Developer > http://www.opendnssec.org/ > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
