Re: [Opendnssec-user] Error allocating ksks / zsks

Thu, 10 Mar 2016 05:13:15 -0800 

> If key_pair_id = 0 is indeed invalid, I guess the database has gotten
> into a state where OpenDNSSEC refuses to mend it automatically.
>
> Guidance sought.

Listing all the keys with "ods-ksmutil key list --verbose --all"
revealed:

NOT ALLOCATED                   KSK           generate  (not scheduled)     
(publish)  2048    8           3b929d0ab308b4e1e8bf81abf1e6dafe  SoftHSM
NOT ALLOCATED                   ZSK           generate  (not scheduled)     
(publish)  1024    8           b3c5b3d619c086f41f3f2ed440419f23  SoftHSM

Yes, that's an empty "key tag" field; all the others have a value
there (after the "SoftHSM" tag).  I wonder how it managed to get into
that state.  Let's try to delete these two and see how it goes...

ods @ hugin: {7} ods-ksmutil key delete --cka_id 
3b929d0ab308b4e1e8bf81abf1e6dafe
Key delete successful: 3b929d0ab308b4e1e8bf81abf1e6dafe
ods @ hugin: {8} ods-ksmutil key delete --cka_id 
b3c5b3d619c086f41f3f2ed440419f23
Key delete successful: b3c5b3d619c086f41f3f2ed440419f23
ods @ hugin: {9}
ods @ hugin: {9} ods-control enforcer stop
Stopping enforcer...
ods @ hugin: {10} ods-control enforcer start
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.4.9), pid 17045
ods @ hugin: {11}

Hmm, definitely better:

Mar 10 14:04:01 hugin ods-enforcerd: 367 zone(s) found on policy "default" 
Mar 10 14:04:01 hugin ods-enforcerd: Predict we need 367 KSKs
Mar 10 14:04:01 hugin ods-enforcerd: Have 366 KSK keys in queue
Mar 10 14:04:01 hugin ods-enforcerd: Need 1 new KSK keys
Mar 10 14:04:01 hugin ods-enforcerd: 1 new KSK(s) (2048 bits) need to be 
created for policy default: keys_to_generate(1) = keys_needed(367) - 
keys_available(366). 
Mar 10 14:04:01 hugin ods-enforcerd: Created key in repository SoftHSM
Mar 10 14:04:01 hugin ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 
95ebe2949eeb84fac9eee71573347b96 in repository: SoftHSM and database.
Mar 10 14:04:01 hugin ods-enforcerd: Predict we need 367 new ZSK keys
Mar 10 14:04:01 hugin ods-enforcerd: Have 366 ZSK keys in queue
Mar 10 14:04:01 hugin ods-enforcerd: Need 1 new ZSK keys
Mar 10 14:04:01 hugin ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be 
created for policy default: keys_to_generate(1) = keys_needed(367) - 
keys_available(366). 
Mar 10 14:04:01 hugin ods-enforcerd: Created key in repository SoftHSM
Mar 10 14:04:01 hugin ods-enforcerd: Created ZSK size: 1024, alg: 8 with id: 
ce16fcac12944304b81957d99c69a1fd in repository: SoftHSM and database.
Mar 10 14:04:01 hugin ods-enforcerd: NOTE: keys generated in repository SoftHSM 
will not become active until they have been backed up

and...

Mar 10 14:04:20 hugin ods-enforcerd: Zone mydomainname.no found.
Mar 10 14:04:20 hugin ods-enforcerd: Policy for mydomainname.no set to default.
Mar 10 14:04:20 hugin ods-enforcerd: Config will be output to 
/var/opendnssec/signconf/mydomainname.no.xml.
Mar 10 14:04:20 hugin ods-enforcerd: New unallocated keypair_id=2373
Mar 10 14:04:20 hugin ods-enforcerd: ZSK key allocation for zone 
mydomainname.no: 1 key(s) allocated 
Mar 10 14:04:20 hugin ods-enforcerd: New unallocated keypair_id=2372
Mar 10 14:04:20 hugin ods-enforcerd: KSK key allocation for zone 
mydomainname.no: 1 key(s) allocated 
Mar 10 14:04:20 hugin ods-enforcerd: INFO: Promoting ZSK from publish to active 
as this is the first pass for the zone
Mar 10 14:04:20 hugin ods-enforcerd: ERROR: Trying to make non-backed up ZSK 
active when RequireBackup flag is set
Mar 10 14:04:20 hugin ods-enforcerd: KsmRequestKeys returned: 65562
Mar 10 14:04:20 hugin ods-enforcerd: Signconf not written for mydomainname.no
Mar 10 14:04:20 hugin ods-enforcerd: Disconnecting from Database...

and doing a SoftHSM backup and a "ods-control enforcer notify"
finally caused the domain to be signed.

Regards,

- HÃ¥vard
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to