Hello!
Sorry, I'm confused. My test:
1) Secondary Knot is running without zone (055e.) configured.
2) The config file is extended with these lines without reload/restart:
keystore:
- id: hsm
backend: pkcs11
config: "pkcs11:token=knot;pin-value=1234
/home/keyper/Keyper/PKCS11Provider/pkcs11.so"
key-label: on
policy:
- id: pol
manual: on
keystore: hsm
zone:
- domain: 055e.
dnssec-signing: on
dnssec-policy: pol
3) Two new keys are generated:
$ keymgr 055e generate ksk=yes zsk=no
463b611ac6dd050fe682a0df5c53a7f5ab5ec1d5
$ keymgr 055e generate ksk=no zsk=yes
c6439fd3acd592817c46a22ac4f67475095f70ac
$ keymgr 055e list
463b611ac6dd050fe682a0df5c53a7f5ab5ec1d5 36332 KSK ECDSAP256SHA256
publish=1676120693 ready=1676120693 active=1676120693
c6439fd3acd592817c46a22ac4f67475095f70ac 55614 ZSK ECDSAP256SHA256
publish=1676120698 active=1676120698
4) The secondary Knot is reloaded:
2023-02-11T14:05:18+0100 info: control, received command 'reload'
2023-02-11T14:05:18+0100 info: reloading configuration file
'/etc/knot/knot.conf'
2023-02-11T14:05:18+0100 info: [055e.] zone will be loaded
2023-02-11T14:05:18+0100 info: configuration reloaded
2023-02-11T14:05:18+0100 info: [055e.] failed to parse zone file
'/tmp/055e.zone' (not exists)
2023-02-11T14:05:18+0100 info: [055e.] zone will be bootstrapped
2023-02-11T14:05:18+0100 info: [055e.] AXFR, incoming, remote ::1@3889,
started
2023-02-11T14:05:18+0100 info: [055e.] AXFR, incoming, remote ::1@3889,
finished, 0.00 seconds, 1 messages, 211 bytes
2023-02-11T14:05:18+0100 info: [055e.] DNSSEC, key, tag 36332, algorithm
ECDSAP256SHA256, KSK, public, active
2023-02-11T14:05:18+0100 info: [055e.] DNSSEC, key, tag 55614, algorithm
ECDSAP256SHA256, public, active
2023-02-11T14:05:19+0100 info: [055e.] DNSSEC, signing started
2023-02-11T14:05:19+0100 info: [055e.] DNSSEC, successfully signed
2023-02-11T14:05:19+0100 info: [055e.] DNSSEC, next signing at
2023-02-25T13:05:19+0100
2023-02-11T14:05:19+0100 info: [055e.] refresh, remote ::1@3889, zone
updated, 1.02 seconds, serial none -> 1480320382, remote serial
1480320382, expires in 2419200 seconds
What is different?
Daniel
Dne 2023-02-11 11:42, Jan-Piet Mens napsal:
Good news JP, I have reproduced the issue with Keyper HSM.
I'm glad you can reproduce it, Daniel. :)
I'm considering extending keymgr listing with the keystore type.
that would be useful.
The problem isn't with HSM (of course it happens with SoftHSM too) but
in the configuration.
If the zone isn't configured, keymgr reads the defaults (PEM
keystore). So you have to add the
zone to the configuration before manual key generation or to set some
policy with the PKCS11
keystore in the default template.
That's what I did. In order:
1. Add the zone to the configuration. Don't reload yet.
2. keymgr generate to create the keys on the HSM. (If I do this before
step 1, then the keys are obvously created on the default PEM
keystore.)
3. Transfer the zone
If I change the order of activities, I still have to retransfer at
least once:
1. Add zone to configuration
2. Reload knot conf
2023-02-11T11:35:05+0100 info: [tt06.] AXFR, incoming, remote
192.168.33.31@53, started
2023-02-11T11:35:05+0100 info: [tt06.] AXFR, incoming, remote
192.168.33.31@53, finished, 0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:35:05+0100 error: [tt06.] DNSSEC, no keys are available
2023-02-11T11:35:05+0100 error: [tt06.] DNSSEC, failed to load keys
(no keys for signing)
2023-02-11T11:35:05+0100 info: [tt06.] DNSSEC, next signing at
2023-02-11T12:35:05+0100
2023-02-11T11:35:05+0100 error: [tt06.] refresh, failed (no keys for
signing)
2023-02-11T11:35:05+0100 error: [tt06.] zone event 'refresh' failed
(no keys for signing)
3. Generate keys on PKCS11
4. zone-retransfer tt06
2023-02-11T11:36:32+0100 info: [tt06.] control, received command
'zone-retransfer'
2023-02-11T11:36:32+0100 info: [tt06.] AXFR, incoming, remote
192.168.33.31@53, started
2023-02-11T11:36:32+0100 info: [tt06.] AXFR, incoming, remote
192.168.33.31@53, finished, 0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, key, tag 59128,
algorithm RSASHA256, public, active
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, key, tag 7376,
algorithm RSASHA256, KSK, public, active
2023-02-11T11:36:32+0100 error: [tt06.] DNSSEC, failed to load private
keys (not exists)
2023-02-11T11:36:32+0100 error: [tt06.] DNSSEC, failed to load keys
(not exists)
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, next signing at
2023-02-11T12:36:32+0100
2023-02-11T11:36:32+0100 error: [tt06.] refresh, failed (not exists)
2023-02-11T11:36:32+0100 error: [tt06.] zone event 'refresh' failed
(not exists)
5. restart server
2023-02-11T11:37:20+0100 info: [tt06.] failed to parse zone file
'tt06' (not exists)
2023-02-11T11:37:20+0100 info: [tt06.] zone will be bootstrapped
6. zone-retransfer tt06
2023-02-11T11:37:57+0100 info: [tt06.] control, received command
'zone-retransfer'
2023-02-11T11:37:57+0100 info: [tt06.] AXFR, incoming, remote
192.168.33.31@53, started
2023-02-11T11:37:57+0100 info: [tt06.] AXFR, incoming, remote
192.168.33.31@53, finished, 0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:37:57+0100 info: [tt06.] DNSSEC, key, tag 59128,
algorithm RSASHA256, public, active
2023-02-11T11:37:57+0100 info: [tt06.] DNSSEC, key, tag 7376,
algorithm RSASHA256, KSK, public, active
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, signing started
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, successfully signed
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, next signing at
2023-02-25T10:37:58+0100
2023-02-11T11:37:58+0100 info: [tt06.] refresh, remote
192.168.33.31@53, zone updated, 0.45 seconds, serial none ->
2023010100, remote serial 2023010100, expires in 604800 seconds
2023-02-11T11:37:58+0100 info: [tt06.] zone file updated, serial
2023010100
Best regards,
-JP
--
--
