For the record, adding a new zone not previously managed by ODS works well on the same setup, policy and all.
Emil On Thu, Dec 18, 2014 at 6:05 PM, Emil Natan <[email protected]> wrote: > > Hi Sion, > > On Thu, Dec 18, 2014 at 4:52 PM, Siôn Lloyd <[email protected]> wrote: >> >> On 18/12/14 12:38, Emil Natan wrote: >> > Hello, >> > >> > Can someone please explain when and why keys are created "NOT IN >> > repository"? >> >> Hi Emil, >> >> Is there a chance that these keys were created and then deleted? That is >> the most likely scenario I can think of. >> >> > I do not think that's the case. I had this zone managed by ODS once, but > since then I wiped both the HSM and ODS database and the zone was commented > in zonelist.conf. > Today I enabled the zone and I see in the log file: > > Dec 18 14:22:04 debugsigner002 ods-enforcerd: Key sharing is Off. > Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 zone(s) found on policy > "testpolicy" > Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 new KSK(s) (2048 bits) > need to be created for policy testpolicy: keys_to_generate(1) = > keys_needed(1) - keys_available(0). > Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created key in repository > Keyper > Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created KSK size: 2048, alg: > 8 with id: 328387cdfb9fae6a5bf27082dc0b858b in repository: Keyper and > database. > Dec 18 14:22:16 debugsigner002 ods-enforcerd: 1 new ZSK(s) (1024 bits) > need to be created for policy testpolicy: keys_to_generate(1) = > keys_needed(1) - keys_available(0). > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created key in repository > Keyper > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created ZSK size: 1024, alg: > 8 with id: 6833a76d1e0834504e43c1ae47b66646 in repository: Keyper and > database. > Dec 18 14:22:19 debugsigner002 ods-enforcerd: NOTE: keys generated in > repository Keyper will not become active until they have been backed up > > It looks like the keys were just created. > > Later in the log: > > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Zone w3c.org found. > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy for w3c.org set to > testpolicy. > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy testpolicy found in > DB. > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Config will be output to > /ods-data/var/opendnssec/signconf/w3c.org.xml. > Dec 18 14:22:19 debugsigner002 ods-enforcerd: ZSK key allocation for zone > w3c.org: 1 key(s) allocated > Dec 18 14:22:19 debugsigner002 ods-enforcerd: KSK key allocation for zone > w3c.org: 1 key(s) allocated > Dec 18 14:22:19 debugsigner002 ods-enforcerd: INFO: Promoting ZSK from > publish to active as this is the first pass for the zone > Dec 18 14:22:19 debugsigner002 ods-enforcerd: ERROR: Trying to make > non-backed up ZSK active when RequireBackup flag is set > Dec 18 14:22:19 debugsigner002 ods-enforcerd: KsmRequestKeys returned: > 65562 > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Signconf not written for > w3c.org > Dec 18 14:22:19 debugsigner002 ods-enforcerd: Disconnecting from > Database... > > and later: > > Dec 18 14:25:53 debugsigner002 ods-signerd: [hsm] unable to get key: key > 328387cdfb9fae6a5bf27082dc0b858b not found > Dec 18 14:25:53 debugsigner002 ods-signerd: [zone] unable to publish > dnskeys for zone w3c.org: error creating dnskey > Dec 18 14:25:53 debugsigner002 ods-signerd: [tools] unable to read zone > w3c.org: failed to publish dnskeys (General error) > Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] CRITICAL: failed > to sign zone w3c.org: General error > Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] backoff task > [read] for zone w3c.org with 60 seconds > Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] finished working > on zone w3c.org. > > And my question is if there was a problem to create the keys in the HSM, > why are they created out of it? Isn't it better if the process just stops? > And where the keys actually exist if not in the repository? They idea was > to use ODS always with HSM. > Thanks. > > Emil > > >> If not, were any errors logged during key generation? >> >> Sion >> >> > >> > root@debugsigner002:~# ods-ksmutil key list --zone w3c.org >> > <http://w3c.org> -v >> > Zone: Keytype: State: Date of next >> > transition (to): Size: Algorithm: CKA_ID: >> > Repository: Keytag: >> > w3c.org <http://w3c.org> KSK publish >> > 2014-12-18 18:30:53 (ready) 2048 8 >> > 328387cdfb9fae6a5bf27082dc0b858b Keyper NOT IN repository >> > w3c.org <http://w3c.org> ZSK active >> > 2015-04-21 14:25:53 (retire) 1024 8 >> > 6833a76d1e0834504e43c1ae47b66646 Keyper NOT IN repository >> > >> > Thanks. >> > Emil >> > >> > >> > _______________________________________________ >> > Opendnssec-user mailing list >> > [email protected] >> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >> > >> >> _______________________________________________ >> Opendnssec-user mailing list >> [email protected] >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >> >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
