Sorry, it's not correct. You have to import the pem files to HSM first and then import-pkcs11 metadata from the HSM to KASP DB.
What is your HSM? On 11/9/21 5:05 PM, Daniel Salzman wrote: > Hi Bastien, > > you have to import the present keys (pem files) to the HSM keystore. Try > using `keymgr import-pkcs11` > > Daniel > > On 11/9/21 4:56 PM, Bastien Durel wrote: >> Hello, >> >> Is there a way to perform a key rollover using a new keystore for the >> new KSK ? >> >> I'd like to switch from KASP DB pem files to HSM-backed keys >> >> I've tried to make a new zone test.test, using the default KASP, and >> then change the storage to HSM, but this leads to 'not exists' errors >> at reload : >> >> nov. 09 11:36:39 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, >> tag 4164, algorithm ECDSAP384SHA384, KSK, public, ready, active+ >> nov. 09 11:36:39 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, >> tag 15855, algorithm ECDSAP384SHA384, public, active >> nov. 09 11:36:39 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed >> to load private keys (not exists) >> nov. 09 11:36:39 arrakeen knotd[2144032]: 2021-11-09T11:36:39+0100 error: >> [test.test.] DNSSEC, failed to load private keys (not exists) >> nov. 09 11:36:39 arrakeen knotd[2144032]: 2021-11-09T11:36:39+0100 error: >> [test.test.] DNSSEC, failed to load keys (not exists) >> nov. 09 11:36:39 arrakeen knotd[2144032]: 2021-11-09T11:36:39+0100 error: >> [test.test.] zone event 'DNSSEC re-sign' failed (not exists) >> nov. 09 11:36:39 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed >> to load keys (not exists) >> nov. 09 11:36:39 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, next >> signing at 2021-11-09T12:36:39+0100 >> nov. 09 11:36:39 arrakeen knotd[2144032]: error: [test.test.] zone event >> 'DNSSEC re-sign' failed (not exists) >> nov. 09 11:36:40 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed >> to load private keys (not exists) >> nov. 09 11:36:40 arrakeen knotd[2144032]: 2021-11-09T11:36:40+0100 error: >> [test.test.] DNSSEC, failed to load private keys (not exists) >> nov. 09 11:36:40 arrakeen knotd[2144032]: 2021-11-09T11:36:40+0100 error: >> [test.test.] zone event 'DS check' failed (not exists) >> nov. 09 11:36:40 arrakeen knotd[2144032]: error: [test.test.] zone event 'DS >> check' failed (not exists) >> >> policy: >> - id: default >> algorithm: ECDSAP384SHA384 >> ksk-size: 384 >> zsk-size: 384 >> nsec3: on >> nsec3-salt-lifetime: 4d >> ksk-submission: validating-resolver >> - id: default_hsm >> keystore: hsmkey >> algorithm: ECDSAP384SHA384 >> ksk-size: 384 >> zsk-size: 384 >> nsec3: on >> nsec3-salt-lifetime: 4d >> ksk-submission: validating-resolver >> >> zone: >> - domain: "test.test." >> file: "test.test" >> # dnssec-policy: default >> dnssec-policy: default_hsm >> >> keymgr test.test list -> >> >> b63796b44dcfed7392639aec6fb4a7ca9ca446dd ksk=yes zsk=no tag=04164 >> algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 >> ready=1636454163 active=0 retire-active=0 retire=0 post-active=0 revoke=0 >> remove=0 >> fdd7822a5498d6eda619092f01dffa41c285d00e ksk=no zsk=yes tag=15855 >> algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 >> ready=0 active=1636454163 retire-active=0 retire=0 post-active=0 revoke=0 >> remove=0 >> >> knotc zone-key-rollover test.test ksk -> >> >> nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, >> tag 4164, algorithm ECDSAP384SHA384, KSK, public, ready, active+ >> nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, >> tag 15855, algorithm ECDSAP384SHA384, public, active >> nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, key, >> tag 43192, algorithm ECDSAP384SHA384, KSK, public, active+ >> nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed >> to load private keys (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: >> [test.test.] DNSSEC, failed to load private keys (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: >> [test.test.] DNSSEC, failed to load keys (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed >> to load keys (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: info: [test.test.] DNSSEC, next >> signing at 2021-11-09T12:39:51+0100 >> nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: >> [test.test.] zone event 'DNSSEC re-sign' failed (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] zone event >> 'DNSSEC re-sign' failed (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] DNSSEC, failed >> to load private keys (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: >> [test.test.] DNSSEC, failed to load private keys (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: 2021-11-09T11:39:58+0100 error: >> [test.test.] zone event 'DS check' failed (not exists) >> nov. 09 11:39:58 arrakeen knotd[2144032]: error: [test.test.] zone event 'DS >> check' failed (not exists) >> >> keymgr test.test list -> >> >> b63796b44dcfed7392639aec6fb4a7ca9ca446dd ksk=yes zsk=no tag=04164 >> algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 >> ready=1636454163 active=0 retire-active=0 retire=0 post-active=0 revoke=0 >> remove=0 >> fc4c2a4b6b43d0428a68b4e130232d261a5ee189 ksk=yes zsk=no tag=43192 >> algorithm=14 size=384 public-only=no pre-active=0 publish=1636454391 >> ready=0 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 >> fdd7822a5498d6eda619092f01dffa41c285d00e ksk=no zsk=yes tag=15855 >> algorithm=14 size=384 public-only=no pre-active=0 publish=1636454163 >> ready=0 active=1636454163 retire-active=0 retire=0 post-active=0 revoke=0 >> remove=0 >> >> The DNSKEY was not changed when the new ksk was introduced, so I guess >> it's not visible : >> >> dig +dnssec @ns.geekwu.org dnskey test.test >> test.test. 86400 IN DNSKEY 256 3 14 >> f06gYOe4uyphbGuBAWvDFnkQDY8+3SrM4e8k9o86AcuD3OL14chmn+34 >> np03/qFI5HCxG688v+Krnm8MbOc+eEaCBHisJpWo8j9+ot/ct2rfJln3 96rNcQXCzUNzDaSZ >> test.test. 86400 IN DNSKEY 257 3 14 >> 7qUXsDfMWc8D6rp9Rvt2QOORZi7/pTEclBawadkauau3xA9iTBwOsZ0G >> 0/6/O9PqrdQBrHP2K4sODOLSI685sOz5lZGRaUqPkuiZe2Gj1OwXsUz1 495W+GmnoAz26YHh >> test.test. 86400 IN RRSIG DNSKEY 14 2 86400 >> 20211123103603 20211109090603 4164 test.test. >> 79XNugNJVXJktk7EpIf+0JlJUGDRrxRtbqKQqZouY1vViLn2PY+SVxPd >> msnQl5EEX9Cp3dHvAw1xOTYjupnYHj5FlA14g9tRPxD97jRylrXgg0rW TLU4he2ujC1rhcS4 >> >> Is this kind of rollover/keystore switch supported ? >> >> Thanks, >> -- https://lists.nic.cz/mailman/listinfo/knot-dns-users
