On 2021/12/06 02:36, Pp Xyz wrote: > Well, servers are following -current on amd64 but reinstalled (-r) > opendnssec package using the version from stable (7.0, amd64) instead of > the snapshots version. > It solved the issue and servers regained capacity to sign with the ed25519 > keys in use. > There is something about that last commit that really broke opendnssec > capacity to use ed25519 keys already in place.
Are you certain that this worked properly before (and didn't just look like it worked)? It seems that opendnssec uses ldns to do the actual signing, this has never supported Ed25519/Ed448 on OpenBSD - the code is disabled unless NID_ED25519 is defined in openssl/obj_mac.h. What changed recently is that, in the ldns update, ldns stopped providing definitions for Ed25519/Ed448-related constants unless the code actually providing that support is built. And the patch to opendnssec was just to follow suit and skip Ed25519/Ed448 unless the installed ldns library is built with that support. (It looked to me like this was botched when opendnssec added ed25519 support - it used the code without checking that ldns really supported it), If you're sure it worked, can you give me some commamds to type to reproduce it? I tried with the docs om the wiki but they have never been updated properly.fpr 2.0 and trying to figure it out based on outdated docs that arem't very good to start with, plus "what changed since 1.4" is not my idea of fun. > PpMiguel > > On Mon, 6 Dec 2021, 01:18 Pp Xyz, <[email protected]> wrote: > > > I am sorry if I'm missing something but can't figure this one out... > > Did the last commit to by sthen on 2021/11/28 to opendnssec port with > > patches for libhsm break servers using ed25519 keys by removing ability to > > sign or resign the zones with current keys? > > Nothing else changed on my servers, keys are listed and seem ok. > > Have a few domains using ed25519 keys, all stopped signing after last > > commit. > > > > Log repeats same over and over: > > > > ods-signerd : [hsm] error signing rrset with libhsm > > ods-signerd : [rrset] unable to sign RRset[50]: lhsm_sign() failed > > > > Anyone else has same problem? > > Is there a way to recover the signing capability? > > > > Thanks in advance for your help and thank you to all Devs for such great > > work > >
