On 06/22/2018 01:44 PM, Casper Gielen wrote: > My main problem is that zones lose DNSKEYs and get stuk with unverifiable > signatures. > > # ods-enforcer key list --zone wiskundeoptiu.nl -v > Keys: > Zone: Keytype: State: Date of next transition: Size: > Algorithm: CKA_ID: Repository: KeyTag: > wiskundeoptiu.nl KSK retire 2018-06-20 15:14:02 2048 8 > 489db07082a644fcfa67f077627b7c7c LocalHSM 39466 > wiskundeoptiu.nl ZSK retire 2018-06-20 15:14:02 1024 8 > 2f3c7829c40248b5537b3cd09266678c LocalHSM 50226 > wiskundeoptiu.nl KSK active 2018-06-20 15:14:02 2048 8 > 758cc85fc16528184f32dbfab70663f6 LocalHSM 62161 > wiskundeoptiu.nl ZSK active 2018-06-20 15:14:02 1024 8 > 8472c2bac0dbfc86d3a687644a3ef4f5 LocalHSM 59790 > wiskundeoptiu.nl ZSK ready 2018-06-20 15:14:02 1024 8 > 3e97dcd131d9264cad2fb84676ade00e LocalHSM 28818
Either this is a transcript from two days ago, or indeed something is stuck which (see later) might indeed be the case. > # ods-enforcer key list --zone wiskundeoptiu.nl -d > Keys: > Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: > RRSIG: Pub: Act: Id: > wiskundeoptiu.nl KSK hidden hidden hidden NA > 0 0 489db07082a644fcfa67f077627b7c7c > wiskundeoptiu.nl ZSK NA hidden NA > hidden 0 0 2f3c7829c40248b5537b3cd09266678c > wiskundeoptiu.nl KSK omnipresent omnipresent omnipresent NA > 1 1 758cc85fc16528184f32dbfab70663f6 > wiskundeoptiu.nl ZSK NA omnipresent NA > omnipresent 1 1 8472c2bac0dbfc86d3a687644a3ef4f5 > wiskundeoptiu.nl ZSK NA omnipresent NA > rumoured 1 1 3e97dcd131d9264cad2fb84676ade00e > > ZSK 50226 is still being used but it is not published in the zone. > It used to be signed with KSK 39466 which is also missing. > > The only reasonable root cause that I can think of is that for a while > the enforcer was running as root instead of the 'opendnssec' user. I've > changed > that and made sure that the opendnssec-user is allowed to access the softhms2 > files. I'm giving a quick reply now, even though I've not analyzed your mail further. But your current remarks make sense and might already give a resolution to the problem. If you had previous been running OpenDNSSEC as root, the signconf.xml file for the zone (normally located somewhere in a signconf directory (typically /var/opendnssec/signconf/wiskundeoptiu.nl.xml). Might have been written as the root user, and when later running as a different user, OpenDNSSEC may then no longer be able to replace this file. The message for this might probably be overwhelmed by other messages. It will not re-try by itself, so what you need to do is remove the files owned by root in the signconf directory and then force to re-generate them by giving a "ods-enforcer enforce" command to force inspecting the zones. There is no feedback-loop from the signer to the enforcer, which is one of the ideas to be placed in as (optional) feature. What this means is that the enforcer will step through key roll procedures regardless of wether the signer has actually picked up the changes (in the signconf). This will further lead to problems because this means keys might actually be purged from the HSM and the signer will then fail further on. Could you check whether files are still owned by root? \Berry _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
