Good news JP, I have reproduced the issue with Keyper HSM.
I'm glad you can reproduce it, Daniel. :)
I'm considering extending keymgr listing with the keystore type.
that would be useful.
The problem isn't with HSM (of course it happens with SoftHSM too) but in the
configuration.
If the zone isn't configured, keymgr reads the defaults (PEM keystore). So you
have to add the
zone to the configuration before manual key generation or to set some policy
with the PKCS11
keystore in the default template.
That's what I did. In order:
1. Add the zone to the configuration. Don't reload yet.
2. keymgr generate to create the keys on the HSM. (If I do this before step 1,
then the keys are obvously created on the default PEM keystore.)
3. Transfer the zone
If I change the order of activities, I still have to retransfer at least once:
1. Add zone to configuration
2. Reload knot conf
2023-02-11T11:35:05+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53,
started
2023-02-11T11:35:05+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53,
finished, 0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:35:05+0100 error: [tt06.] DNSSEC, no keys are available
2023-02-11T11:35:05+0100 error: [tt06.] DNSSEC, failed to load keys (no keys
for signing)
2023-02-11T11:35:05+0100 info: [tt06.] DNSSEC, next signing at
2023-02-11T12:35:05+0100
2023-02-11T11:35:05+0100 error: [tt06.] refresh, failed (no keys for signing)
2023-02-11T11:35:05+0100 error: [tt06.] zone event 'refresh' failed (no keys
for signing)
3. Generate keys on PKCS11
4. zone-retransfer tt06
2023-02-11T11:36:32+0100 info: [tt06.] control, received command
'zone-retransfer'
2023-02-11T11:36:32+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53,
started
2023-02-11T11:36:32+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53,
finished, 0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, key, tag 59128, algorithm
RSASHA256, public, active
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, key, tag 7376, algorithm
RSASHA256, KSK, public, active
2023-02-11T11:36:32+0100 error: [tt06.] DNSSEC, failed to load private keys
(not exists)
2023-02-11T11:36:32+0100 error: [tt06.] DNSSEC, failed to load keys (not exists)
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, next signing at
2023-02-11T12:36:32+0100
2023-02-11T11:36:32+0100 error: [tt06.] refresh, failed (not exists)
2023-02-11T11:36:32+0100 error: [tt06.] zone event 'refresh' failed (not exists)
5. restart server
2023-02-11T11:37:20+0100 info: [tt06.] failed to parse zone file 'tt06' (not
exists)
2023-02-11T11:37:20+0100 info: [tt06.] zone will be bootstrapped
6. zone-retransfer tt06
2023-02-11T11:37:57+0100 info: [tt06.] control, received command
'zone-retransfer'
2023-02-11T11:37:57+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53,
started
2023-02-11T11:37:57+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53,
finished, 0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:37:57+0100 info: [tt06.] DNSSEC, key, tag 59128, algorithm
RSASHA256, public, active
2023-02-11T11:37:57+0100 info: [tt06.] DNSSEC, key, tag 7376, algorithm
RSASHA256, KSK, public, active
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, signing started
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, successfully signed
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, next signing at
2023-02-25T10:37:58+0100
2023-02-11T11:37:58+0100 info: [tt06.] refresh, remote 192.168.33.31@53, zone
updated, 0.45 seconds, serial none -> 2023010100, remote serial 2023010100,
expires in 604800 seconds
2023-02-11T11:37:58+0100 info: [tt06.] zone file updated, serial 2023010100
Best regards,
-JP
--
