Hi Libor,
Hi Daniel,
thanks for you feedback. I upgraded the affected machine to 3.1.7 and
the problem is solved for me.
Thanks,
Thomas
On 25.04.22 12:36, libor.peltan wrote:
Hi Thomas,
thanks much for your report!
This is indeed a bug, which was introduced in Knot DNS version 3.0.6 (by
fixing another bug...), and fixed unintentionally by implementing a
feature in 3.1.0.
I recommend that you work around by using any unaffected version, e.g.
3.1.7.
Please let us know any following interesting findings.
Thank you,
Libor
Dne 23. 04. 22 v 19:45 Daniel Salzman napsal(a):
Hi Thomas,
what changed since the time when it worked? Still the same Knot version?
Daniel
On 4/22/22 23:12, Thomas wrote:
Hi,
for the transition of a TLD I need to import the current providers
KSK into my zone. I use the "keymgr import-pub" command for this. I
have done that a few times in the past and it worked very well.
I have now installed the most current version of Knot (3.0.10) and
did the same procedure. But after importing the KSK the zone can't be
signed anymore. It seems like Knot doesn't recognize that this
imported key is a "public-only" key. Knot throws an error and
complains that the private key could not be loaded.
The zone's keys (.example) before the import of the KSK:
# keymgr example list
0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595
algorithm=7 size=2048 public-only=no pre-active=0
publish=1650495677 ready=1650495677 active=1650659051 retire-active=0
retire=0 post-active=0 revoke=0 remove=0
13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no zsk=yes tag=05477
algorithm=7 size=1024 public-only=no pre-active=0
publish=1650495677 ready=0 active=1650495677 retire-active=0 retire=0
post-active=0 revoke=0 remove=0
Imported the KSK with the following command:
# keymgr example import-pub /etc/knot/public.key
2c135e77b7f48475a837ad0d28a9459f0e7ce621
OK
The zone's keys (.example) after the import of the KSK:
# keymgr example list
0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595
algorithm=7 size=2048 public-only=no pre-active=0
publish=1650495677 ready=1650495677 active=1650659051 retire-active=0
retire=0 post-active=0 revoke=0 remove=0
13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no zsk=yes tag=05477
algorithm=7 size=1024 public-only=no pre-active=0
publish=1650495677 ready=0 active=1650495677 retire-active=0 retire=0
post-active=0 revoke=0 remove=0
2c135e77b7f48475a837ad0d28a9459f0e7ce621 ksk=yes zsk=no tag=35421
algorithm=7 size=2048 public-only=yes pre-active=0
publish=1650660072 ready=0 active=0 retire-active=0 retire=0
post-active=0 revoke=0 remove=0
The imported key (tag 35421) has the flag "public-only=yes", as
expected.
But when I now sign the zone, the log shows this errors:
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] control,
received command 'zone-sign'
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC,
dropping previous signatures, re-signing zone
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key,
tag 12595, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key,
tag 35421, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active+
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key,
tag 5477, algorithm RSASHA1_NSEC3_SHA1, public, active
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed
to load private keys (not exists)
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed
to load keys (not exists)
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, next
signing at 2022-04-22T21:43:24+0000
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] zone event
'DNSSEC re-sign' failed (not exists)
The imported key should not have the "active" flag:
info: [example.] DNSSEC, key, tag 35421, algorithm
RSASHA1_NSEC3_SHA1, KSK, public, active+
It seems to me that the imported key is not seen as a "public-only"
key anymore and therefore Knot is looking for the corresponding
private key, which of course fails.
I attached an strace output, with the signing operation. But that
doesn't seem to be helpful because the signing command itself doesn't
fail.
Thanks,
Thomas
--
--
--
