[Opendnssec-user] Re: enforcer-ng produces suspicious number of ZSKs

Tue, 11 Mar 2014 10:17:48 -0700 

On 11.3.2014 17:52, Petr Spacek wrote:

Hello list,

I'm playing with enforcer-ng and I have noticed that is generates suspicious
number of ZSKs for my test zone.

I have built enforcer-ng myself from git, HEAD
d7ba5fa96bcd8e6e6744e89d11fa2da88f7572c7.

I'm using SoftHSM v2 built from git, HEAD
c893d407b789e81e2d9fab5b112cc59648ba644a. It is configured with "db" backend.

My system is Fedora 20 x86_64.

# ods-enforcer zone add --zone lab1.test.
Imported zone: lab1.test. into database only. Use the --xml flag or run
"ods-enforcer zonelist export" if an update of zonelist.xml is required.
generating 1 KSKs of 2048 bits for policy 'default'.
generating 2048 bit RSA key in repository: SoftHSM
key generation successful: 7efdabae0433129e47649bb51ab2dbdb
finished generating 2048 bit KSKs.
generating 5 ZSKs of 1024 bits for policy 'default'.
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: c9666dfba6f038118c196d181d12a9d7
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: 281c2272fb0e720963f98a6b4bdae4d5
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: 584cd0733d00beb4d4f97e6b2678accc
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: 6b8e9baa08199537fda9a76134aa862c
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: d1ab1dd54f4438c4c247df64bbb2320e
finished generating 1024 bit ZSKs.
no KSK keys of 2048 bits needed for policy 'lab'.
no ZSK keys of 1024 bits needed for policy 'lab'.
zone add completed in 15 seconds.


# ods-hsmutil list
Listing keys in all repositories.
6 keys found.

Repository            ID                                Type
----------            --                                ----
SoftHSM               584cd0733d00beb4d4f97e6b2678accc  RSA/1024
SoftHSM               d1ab1dd54f4438c4c247df64bbb2320e  RSA/1024
SoftHSM               7efdabae0433129e47649bb51ab2dbdb  RSA/2048
SoftHSM               c9666dfba6f038118c196d181d12a9d7  RSA/1024
SoftHSM               281c2272fb0e720963f98a6b4bdae4d5  RSA/1024
SoftHSM               6b8e9baa08199537fda9a76134aa862c  RSA/1024


# ods-enforcer key list --verbose
Keys:
Zone:                           Keytype: State:    Date of next transition:
Size: Algorithm: CKA_ID:                          Repository: KeyTag:
lab1.test.                      KSK      generate  2014-03-13 05:35:24 2048
8          7efdabae0433129e47649bb51ab2dbdb SoftHSM     53104
lab1.test.                      ZSK      publish   2014-03-13 05:35:24 1024
8          c9666dfba6f038118c196d181d12a9d7 SoftHSM     20835


Is it a bug? Or did I misunderstood KASP? (attached)


Now I'm pretty sure that it is a bug: 2190 ZSKs is really too much :-)

# ods-enforcer zone add --zone lab1.test. --policy lab
Imported zone: lab1.test. into database only. Use the --xml flag or run "ods-enforcer zonelist export" if an update of zonelist.xml is required. 
no KSK keys of 2048 bits needed for policy 'default'.
no ZSK keys of 1024 bits needed for policy 'default'.
generating 1 KSKs of 2048 bits for policy 'lab'.
generating 2048 bit RSA key in repository: SoftHSM
key generation successful: c7af790f81b1f24f60d0b553e19edf25
finished generating 2048 bit KSKs.
generating 2190 ZSKs of 1024 bits for policy 'lab'.
generating 1024 bit RSA key in repository: SoftHSM


As a side-effect, I have found another bug (I guess):
I have terminated ods-enforcer from the previous example with SIGINT (Ctrl+C) because I was impatient and not willing to wait for 2190 new ZSKs.
After that, I tried to run "zone add" again to see if the number of ZSKs changes again: 

# ods-enforcer zone add --zone lab2.test. --policy lab
Imported zone: lab2.test. into database only. Use the --xml flag or run "ods-enforcer zonelist export" if an update of zonelist.xml is required. 
no KSK keys of 2048 bits needed for policy 'default'.
no ZSK keys of 1024 bits needed for policy 'default'.
generating 1 KSKs of 2048 bits for policy 'lab'.
generating 2048 bit RSA key in repository: SoftHSM
error: key generation failed
error: unable to generate a KSK of 2048 bits
error: generating KSKs failed
generating 4324 ZSKs of 1024 bits for policy 'lab'.
error: could not connect to HSM
error: unable to generate a ZSK of 1024 bits
error: generating ZSKs failed
zone add completed in 3 seconds.

System journal showed me this (everything came from ods-enforcerd daemon):
[zone_add_task] added Zone: lab2.test.
DBObject.cpp(1147): Transaction in database is already active.
[hsmkey_gen_task] key generation failed
[hsmkey_gen_task] unable to generate a KSK of 2048 bits
[hsmkey_gen_task] generating KSKs failed
DB.cpp(63): SQLITE3: cannot start a transaction within a transaction (1)
DBToken.cpp(550): Unable to start a transaction for updating the SOPIN and TOKENFLAGS in token database at "/var/lib/softhsm/tokens//d04b9d46-4818-3b48-3b1d-df4bd4c3986e/sqlite3.db" 
Token.cpp(424): Could not get the token flags
[hsmkey_gen_task] could not connect to HSM
[hsmkey_gen_task] unable to generate a ZSK of 1024 bits
[hsmkey_gen_task] generating ZSKs failed
[enforce_task] Updating all zones that need require action
[enforcer] update Zone: lab1.test.
[enforcer] updatePolicy error calculating keytag
[enforcer] update Zone: lab2.test.
[enforcer] updatePolicy No keys available on hsm for policy lab, retry in 60 seconds 
[enforce_task] Completed updating all zones that need required action

--
Petr Spacek  @  Red Hat
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to