Re: [Opendnssec-user] Key not found

Tue, 10 Jun 2014 06:05:46 -0700 

On Mon, 2014-06-09 at 15:47 +0200, David Peall wrote:
> On 09 Jun 2014, at 2:39 PM, Siôn Lloyd <s...@nominet.org.uk> wrote:
> 
> > On 09/06/14 11:30, David Peall wrote:
> >> 
> >> But then:
> >> ods-signerd: [hsm] unable to get key: key 994410881c1e66e2d075ed1ed1756679 
> >> not found
> >> ods-signerd: [zone] unable to publish dnskeys for zone <zone>: error 
> >> creating dnskey
> >> ods-signerd: [tools] unable to read zone <zone>: failed to publish dnskeys 
> >> (General error)
> >> 
> >> But: 
> >> ods-ksmutil key list --verbose
> >> Zone:                           Keytype:      State:    Date of next 
> >> transition (to):  Size:   Algorithm:  CKA_ID:                           
> >> Repository:                       Keytag:
> >> <zone>                        KSK           publish   2014-06-10 02:17:13 
> >> (ready)    2048    8           994410881c1e66e2d075ed1ed1756679  thales    
> >>                         15664
> >> 
> >> Is this because the key is not active? is this a bug?
> > Hi David,
> > 
> > The state of the key is not causing this... Does the signer run as the
> > same user/group as the enforcer?
> 
> Yes both the signer and enforcer run as the same user and group.
> 
> Regards
> —
> David Peall
> 


Just for fun, switched user to 'opendnssec' (the unix user)..
in conf.xml:
I have....
    <Enforcer>
        <Privileges>
            <User>opendnssec</User>
            <Group>opendnssec</Group>
        </Privileges>
-and-
    <Signer>
        <Privileges>
            <User>opendnssec</User>
            <Group>opendnssec</Group>
        </Privileges>


Can both list keys and create keys....

root@mjedev:/home/mje# su - opendnssec
opendnssec@mjedev:~$ id
uid=106(opendnssec) gid=111(netdev)
groups=111(netdev),998(nfast),999(softhsm)


opendnssec@mjedev:~$ ods-ksmutil key list --verbose
MySQL database schema set to: KASP
MySQL database user set to: kaspuser
MySQL database password set
Keys:
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
Repository:                       Keytag:
<zone>                          KSK           active    2015-05-29
07:53:46 (retire)   2048    8           4e75a05b5b65f8767d54ff2a303417c6
thales                            1244
[others deleted]


opendnssec@mjedev:~$ ods-ksmutil key generate --policy zacr-nsec3
--zonetotal 3 --interval 3D
Key sharing is Off
HSM opened successfully.
Info: 2 zone(s) found on policy "zacr-nsec3"
Info: Keys will actually be generated for a total of 3 zone(s) as
specified by zone total parameter
1 new KSK(s) (2048 bits) need to be created for policy zacr-nsec3:
keys_to_generate(1) = keys_needed(3) - keys_available(2).
1 new ZSK(s) (1024 bits) need to be created for policy zacr-nsec3:
keys_to_generate(1) = keys_needed(3) - keys_available(2).
*WARNING* This will create 1 KSKs (2048 bits) and 1 ZSKs (1024 bits)
Are you sure? [y/N] 
Y
Created KSK size: 2048, alg: 8 with id: 85d783cf86e25fe6c9bce3cbac1cf851
in repository: thales and database.
Created ZSK size: 1024, alg: 8 with id: 98559ea5bf30685356f4d51e1ca41346
in repository: thales and database.
all done! hsm_close result: 0


Any progress???

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to