-
Type:
New Feature
-
Status: Closed
-
Priority:
Trivial
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
I did something awful -- I deleted a public key in the HSM by going under OpenDNSSEC. So what follows is certainly not a showstopper for 1.0, but it did seem unpractical how OpenDNSSEC responded. Platform was RC2.
ksmutil lists the half key as "NOT IN repository", which is a very clear indicator of the exceptional situation. But when I try to roll it (using the CKA_ID, lacking the keytag) I get a complaint from ksk-roll that I don't quite understand to be a necessary hurdle to recover from a missing key. After ksmutil key rollover I did/got:
[~|root@apollo]# ksmutil key ksk-roll --zone openfortress.nl --cka_id 20a4f17382d2e9fcb73e01d58c4cc167
WARNING This will retire the currently active KSK; are you sure? [y/N] y
SQLite database set to: /var/opendnssec/kasp.db
Error: keytag "(null)"; should be numeric only
It turns out that I am stuck with a key that doesn't want to work anymore -- and I don't think this is desirable behaviour, if it can be avoided. Should the keytag-is-null perhaps be tuned down to a warning to improve the practical usefulness of OpenDNSSEC?
This is not just sillyness -- storage space in an HSM is expensive, so I am seeing if I can avoid using it for public keys. I will also try if I can store the public key on a cheaper medium.