> > >> On Mon, 6 Dec 2021, 09:48 Stuart Henderson, <[email protected]> wrote: >> >>> >>> Are you certain that this worked properly >>> If you're sure it worked, can you give me some commamds to type to >>> reproduce it? I tried with the docs om the wiki but they have never been >>> updated properly.fpr 2.0 and trying to figure it out based on outdated >>> docs that arem't very good to start with, plus "what changed since >>> 1.4" is not my idea of fun. >>> >> > A small correction although it might be useful: > > Original setup was done on 2020/03/12 with amd64 openbsd updated to > current and packages from snapshots. > That means opendnssec was version 2.1.6 and softhsm2 was 2.6.0 already > with botan2. > Most Keys were generated then, even those to be used in future keys > changes. > I believe the ods-hsmutil showed correctly the test and option to generate > EDDSA ed25519 keys at the time. > At this moment, servers with opendnssec package version from 7.0 stable > when performing ods-hsmutil test show: > [...] > Signing with (ECDSA/SHA384) with key... Generating ED25519 key... OK > Extracting key identifier... OK, [Key identifier] > Signing with key... OK > Deleting key... OK > > Generating ED448 key... Failed >
Another piece of the puzzle: On the servers were opendnssec was updated to latest snap version (breaking ed25519 signing support) and later reverted to package from 7.0 amd64 (regaining ed25519 signing support) it is again possible to also generate new ed25519 keys into the repository: Update conf.xml to increase period of pre-generated keys,e.g. <AutomaticKeyGenerationPeriod>P2Y</AutomaticKeyGenerationPeriod> Then, after updating conf and enforcing policy, it is possible to generate more keys: ods-enforcer update conf ods-enforcer key generate --policy <policywithalgo25> Several new keys will now be listed in the repository with type EDDSA/255. The same process fails in server with latest opendnssec snap package (not reverted) with log: ods-enforcerd: 1 new KSK(s) (256 bits) need to be created. ods-enforcerd: [hsm_key_factory_generate] key generation failed ods-enforcerd: 4 new ZSK(s) (256 bits) need to be created. ods-enforcerd: [hsm_key_factory_generate] key generation failed Can't think of what else to add that might be helpful but let me know if there is. Ppmiguel
