On 13/12/10 12:57, Sion Lloyd wrote: >> Inspecting kasp.db does list the keys that are unknown to the HSM, even >> after the re-adding and removal of zone example.com, which gets these >> keys added to it. I'll send you the kasp.db off-list, but I assume that >> it would be possible to use regular SQL to remove the missing keys from >> the kasp.db 'keypairs' table? > > Yes, that would work. It looks like the keys were never used, so the system > thinks that they are available for any new zone that you add. > > I'm still unsure as to how the database got into this state, deleting the > zone > should leave the keys in the HSM. Unless you run "ods-ksmutil key purge". >
I further investigated the logs on how this situation was created, and I
found out:
I wanted to migrate a signed zone to this new setup, and imported the
keys that were already in use. The old keys had alg 7
(RSASHA1-NSEC3-SHA1), but the policy to which I added the zone had alg 8
(RSASHA256). After I noticed this error (upon signing), I removed the
zone from ODS, and the keys from the HSM. I'm not really sure how I
exactly did that (the logging has no useful data on that), but it seems
that the keypair entries were not removed from kasp.db. This might just
be a genuine case of PEBKAC :/
Only conclusion would be that it would be nice if more logging of
"ods-ksmutil zone *" commands would be available, at least for commands
that change data. Currently 'zone add/delete' do not log anything. Same
goes for ods-hsmutil.
--
Regards,
Tom
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
