Hi Sion, On Thu, Dec 18, 2014 at 4:52 PM, Siôn Lloyd <[email protected]> wrote: > > On 18/12/14 12:38, Emil Natan wrote: > > Hello, > > > > Can someone please explain when and why keys are created "NOT IN > > repository"? > > Hi Emil, > > Is there a chance that these keys were created and then deleted? That is > the most likely scenario I can think of. > > I do not think that's the case. I had this zone managed by ODS once, but since then I wiped both the HSM and ODS database and the zone was commented in zonelist.conf. Today I enabled the zone and I see in the log file:
Dec 18 14:22:04 debugsigner002 ods-enforcerd: Key sharing is Off. Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 zone(s) found on policy "testpolicy" Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy testpolicy: keys_to_generate(1) = keys_needed(1) - keys_available(0). Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created key in repository Keyper Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 328387cdfb9fae6a5bf27082dc0b858b in repository: Keyper and database. Dec 18 14:22:16 debugsigner002 ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created for policy testpolicy: keys_to_generate(1) = keys_needed(1) - keys_available(0). Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created key in repository Keyper Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created ZSK size: 1024, alg: 8 with id: 6833a76d1e0834504e43c1ae47b66646 in repository: Keyper and database. Dec 18 14:22:19 debugsigner002 ods-enforcerd: NOTE: keys generated in repository Keyper will not become active until they have been backed up It looks like the keys were just created. Later in the log: Dec 18 14:22:19 debugsigner002 ods-enforcerd: Zone w3c.org found. Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy for w3c.org set to testpolicy. Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy testpolicy found in DB. Dec 18 14:22:19 debugsigner002 ods-enforcerd: Config will be output to /ods-data/var/opendnssec/signconf/w3c.org.xml. Dec 18 14:22:19 debugsigner002 ods-enforcerd: ZSK key allocation for zone w3c.org: 1 key(s) allocated Dec 18 14:22:19 debugsigner002 ods-enforcerd: KSK key allocation for zone w3c.org: 1 key(s) allocated Dec 18 14:22:19 debugsigner002 ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone Dec 18 14:22:19 debugsigner002 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set Dec 18 14:22:19 debugsigner002 ods-enforcerd: KsmRequestKeys returned: 65562 Dec 18 14:22:19 debugsigner002 ods-enforcerd: Signconf not written for w3c.org Dec 18 14:22:19 debugsigner002 ods-enforcerd: Disconnecting from Database... and later: Dec 18 14:25:53 debugsigner002 ods-signerd: [hsm] unable to get key: key 328387cdfb9fae6a5bf27082dc0b858b not found Dec 18 14:25:53 debugsigner002 ods-signerd: [zone] unable to publish dnskeys for zone w3c.org: error creating dnskey Dec 18 14:25:53 debugsigner002 ods-signerd: [tools] unable to read zone w3c.org: failed to publish dnskeys (General error) Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] CRITICAL: failed to sign zone w3c.org: General error Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] backoff task [read] for zone w3c.org with 60 seconds Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] finished working on zone w3c.org. And my question is if there was a problem to create the keys in the HSM, why are they created out of it? Isn't it better if the process just stops? And where the keys actually exist if not in the repository? They idea was to use ODS always with HSM. Thanks. Emil > If not, were any errors logged during key generation? > > Sion > > > > > root@debugsigner002:~# ods-ksmutil key list --zone w3c.org > > <http://w3c.org> -v > > Zone: Keytype: State: Date of next > > transition (to): Size: Algorithm: CKA_ID: > > Repository: Keytag: > > w3c.org <http://w3c.org> KSK publish > > 2014-12-18 18:30:53 (ready) 2048 8 > > 328387cdfb9fae6a5bf27082dc0b858b Keyper NOT IN repository > > w3c.org <http://w3c.org> ZSK active > > 2015-04-21 14:25:53 (retire) 1024 8 > > 6833a76d1e0834504e43c1ae47b66646 Keyper NOT IN repository > > > > Thanks. > > Emil > > > > > > _______________________________________________ > > Opendnssec-user mailing list > > [email protected] > > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
