Re: [Opendnssec-user] DNSKEY signature expired

Mon, 03 May 2021 06:01:35 -0700 

Thank you. I should have been more diligent/comprehensive previously.
The immediate error is that ods-signer does not find a key (id: ca7e41658c07917f82ca1a77794a235d) that it is expecting.
May 1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key: key ca7e41658c07917f82ca1a77794a235d not found May 1 05:35:11 my_server ods-signerd[1960]: [hsm] hsm_get_dnskey(): Got NULL key May 1 05:35:11 my_server ods-signerd[1960]: [hsm] unable to get key: hsm failed to create dnskey May 1 05:35:11 my_server ods-signerd[1960]: [zone] unable to prepare signing keys for zone my_domain.tld: error getting dnskey May 1 05:35:11 my_server ods-signerd[1960]: [worker[1]] CRITICAL: failed to sign zone my_domain.tld: General error May 1 05:35:11 my_server ods-signerd[1960]: back-off task [sign] for zone my_domain.tld with 3600 seconds
Looking back through the logs however, this is because ods-enforcer purged that key from the HSM two weeks ago. The signconf file appears not to have been correspondingly updated though and is therefore now inconsistent. So I now have:- 

In signconf/<my_domain.tld>.xml
------------------------
    <Keys>
      <TTL>PT1H</TTL>
      <Key>
        <Flags>257</Flags>
        <Algorithm>13</Algorithm>
        <Locator>4017f49c5510cd7747298b8cf5b07c63</Locator>
        <KSK/>
        <Publish/>
      </Key>
      <Key>
        <Flags>256</Flags>
        <Algorithm>13</Algorithm>
        <Locator>ca7e41658c07917f82ca1a77794a235d</Locator>
      </Key>
      <Key>
        <Flags>256</Flags>
        <Algorithm>13</Algorithm>
        <Locator>87fc66abfbe9fbb4f2eb97b02f31b0f9</Locator>
        <ZSK/>
        <Publish/>
      </Key>
    </Keys>

From ods-enforcer key list -d
-----------------------------
my_domain.tld KSK omnipresent omnipresent omnipresent NA 1 1 4017f49c5510cd7747298b8cf5b07c63 my_domain.tld ZSK NA omnipresent NA omnipresent 1 1 87fc66abfbe9fbb4f2eb97b02f31b0f9 

From log:
---------
Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer] update zone: my_domain.tld Apr 21 19:09:55 my_server ods-enforcerd[1936]: [enforcer] removeDeadKeys deleting key: ca7e41658c07917f82ca1a77794a235d Apr 21 19:09:56 my_server ods-enforcerd[1936]: [hsm_key_factory_delete_key] looking for keys to purge from HSM Apr 21 19:09:56 my_server ods-enforcerd[1936]: [hsm_key_factory_get_key] removing key ca7e41658c07917f82ca1a77794a235d from HSM Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer] removeDeadKeys: keys deleted from HSM: 1 Apr 21 19:09:56 my_server ods-enforcerd[1936]: [enforcer] update: key_data_update() failed Apr 21 19:09:57 my_server ods-enforcerd[1936]: [enforce_task] No changes to signconf file required for zone my_domain.tld
I'm guessing the significant error is the key_data_update failure and that it probably relates to the change made in 2.1.8.
I suspect that just manually forcing regeneration of the signconf would correct the immediate failure but, as this is occurring on a domain which is relatively unimportant for me, I would like to try to understand how/why the situation has arisen and how to correct it properly/elegantly. I'm also anxious to reassure myself that the same error is not about to occur on other, more critical zones. 

Colin








On 03/05/2021 13:01, Berry van Halderen via Opendnssec-user wrote:

On 2021-05-03 13:39, Colin Spensley via Opendnssec-user wrote:

I have a zone managed by OpenDNSSEC 2 which now is not resolved by
validating resolvers. The reason appears to be that the RRSIG over the
DNSKEY RRset has been allowed to expire by ods-signer.

Ie. (crudely obfuscated):-
my_domain.tld.        3600    IN    RRSIG    DNSKEY 13 3 3600 20210501213711 20210418073317 47867 my_domain.tld. BIzcTyvmGi/OcLaBdXMExes/iyHkrUC1qOhg4W4ybcjsS/zAXz65NJBa oojfCzX7gUo/DD9mXaMFZTyWm8iLpA==
The signer does run for the domain but does not regenerate this signature. 

Can anyone suggest what might be causing this error?
Your log should provide more information.  There should be some logging lines, probably in /var/log/messages indicating that "ods-signer" has some error.  I would suggest a grep ods-signer /var/log/messages. 

\Berry
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to