Hi Emil, Short: I tried to simulate your use case (with SoftHSM, on ubuntu-trusty-64 VM), but it seems to work for me. Perhaps I used slightly different commands? Can you share your used commands?
Best regards, Matthijs Audit trail: I started with Keys: Zone: Keytype: State: Date of next transition: example.com KSK publish 2014-12-16 23:55:02 example.com ZSK active 2015-03-16 09:55:02 On 16-12-14 08:54, Emil Natan wrote: > Good morning, > > I have a test environment with ODS 1.4.6 and Keyper HSM where signing > zones was working until I decided to remove all keys and start from scratch. > I removed all keys with "ods-hsmutil purge"\ $ sudo ods-hsmutil purge SoftHSM Purging all keys from repository: SoftHSM 2 keys found. Are you sure you want to remove ALL keys from repository SoftHSM ? (YES/NO) YES Starting purge... Key remove successful: 816416e1255a1724021895b531c0e313 Key remove successful: 615ef6c218cc6bc6d714a0742a07617b Purge done. > reinitialized the HSM\ Don't think this is necessary, but okay: $ sudo softhsm --init-token --slot 0 --label "OpenDNSSEC" The SO PIN must have a length between 4 and 255 characters. Enter SO PIN: The user PIN must have a length between 4 and 255 characters. Enter user PIN: The token has been initialized. > removed the single zone I used to sign\ $ sudo ods-ksmutil zone delete --zone example.com zonelist filename set to /etc/opendnssec/zonelist.xml. Zone list updated: 1 removed, 0 added, 0 updated. > reinitialized the database "ods-ksmutil setup"\ I think you should first stop the opendnssec service, but I will not do that now: $ sudo ods-ksmutil setup *WARNING* This will erase all data in the database; are you sure? [y/N] y fixing permissions on file /var/opendnssec/kasp.db zonelist filename set to /etc/opendnssec/zonelist.xml. kasp filename set to /etc/opendnssec/kasp.xml. Repository SoftHSM found No Maximum Capacity set. RequireBackup NOT set; please make sure that you know the potential problems of using keys which are not recoverable INFO: The XML in /etc/opendnssec/conf.xml is valid INFO: The XML in /etc/opendnssec/zonelist.xml is valid INFO: The XML in /etc/opendnssec/kasp.xml is valid WARNING: In policy default, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days WARNING: In policy lab, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days Policy default found Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days Policy lab found Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days > pregenerated new keys\ But you have no zones currently (you removed the single zone)? $ sudo ods-ksmutil key generate --policy default --interval P1Y Key sharing is Off Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days HSM opened successfully. Info: 0 zone(s) found on policy "default" No zones on policy default, skipping... > added a zone\ $ sudo ods-ksmutil zone add --zone example.com zonelist filename set to /etc/opendnssec/zonelist.xml. Imported zone: example.com > updated, restarted all services. $ sudo ods-control stop Stopping enforcer... Stopping signer engine... Engine shut down. $ sudo ods-control start Starting enforcer... OpenDNSSEC ods-enforcerd started (version 1.4.6), pid 28343 Starting signer engine... OpenDNSSEC signer engine version 1.4.6 Engine running. > Everything seems to worked well, but the signer does not find one of the > keys to sign the zone, more specifically the KSK. I went the above > process few times, always ending with: > > Dec 16 09:40:27 debugsigner002 ods-signerd: [hsm] unable to get key: key > f81e4b2cb33eec780320b6ceeb6f6bb8 not found > Dec 16 09:40:27 debugsigner002 ods-signerd: [zone] unable to publish > dnskeys for zone XXX: error creating dnskey > Dec 16 09:40:27 debugsigner002 ods-signerd: [tools] unable to read zone > XXX: failed to publish dnskeys (General error) > Dec 16 09:40:27 debugsigner002 ods-signerd: [worker[4]] CRITICAL: failed > to sign zone XXX: General error For me, it finds the old key in the `/var/opendnssec/tmp/example.com.backup2` file and decides it is corrupted: Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [hsm] libhsm connection opened succesfully Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [engine] signer started (version 1.4.6), pid 28355 Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [hsm] unable to get key: key 615ef6c218cc6bc6d714a0742a07617b not found Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [zone] unable to publish dnskeys for zone example.com: error creating dnskey Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [zone] corrupted backup file zone example.com: unable to publish dnskeys (General error) Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [engine] unable to recover zone example.com from backup, performing full sign Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [signconf] zone example.com signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime] Dec 16 10:07:59 vagrant-ubuntu-trusty-64 ods-signerd: [STATS] example.com 1418724479 RR[count=61 time=0(sec)] NSEC3[count=60 time=0(sec)] RRSIG[new=112 reused=0 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] > The key exist in both HSM and database. ods-hsmutil lists it: > > root@debugsigner002:~# ods-hsmutil list | grep > f81e4b2cb33eec780320b6ceeb6f6bb8 > Keyper f81e4b2cb33eec780320b6ceeb6f6bb8 RSA/2048 > > ods-ksmutil shows it: > > root@debugsigner002:~# ods-ksmutil key list -v > Keys: > Zone: Keytype: State: Date of next > transition (to): Size: Algorithm: CKA_ID: > Repository: Keytag: > XXX KSK active 2016-01-16 > 09:49:45 (retire) 2048 8 f81e4b2cb33eec780320b6ceeb6f6bb8 > Keyper 6061 > XXX ZSK active 2015-04-18 > 22:40:55 (retire) 1024 8 d2aa0ba9af0f41429d23ea387abb836a > Keyper > > external tools - dnssec-keyfromlabel can use it. > No other errors in the log. > > Any ideas what's wrong? Suggestions what else to try? > Thanks. > > Emil > > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
