Uploaded image for project: 'Support'
  1. Support
  2. SUPPORT-265

OpenDNSSEC does not update signconf when key is delete from HSM

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.1.8
    • Fix Version/s: 2.1.10
    • Component/s: Enforcer
    • Labels:
      None
    • Environment:

      RHEL 7.9

      OpenDNSSEC 2.1.8

      MariaDB 5.5.68

      Hardware HSM

      Description

      The following log section shows that a key is removed, but the signconf is not updated. This will result in an issue when restarting OpenDNSSEC.

      May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [enforcer] updateZone: processing key 7df136c275f69799329c8b86b9b30494 4
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [enforcer] updateZone: processing key d2b792f3bba995a910ae88e8d071860d 1
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [enforcer] updateZone: processing key 51d6c66bcf7bbd1b9d775782edb67481 1
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [enforcer] removeDeadKeys deleting key: d2b792f3bba995a910ae88e8d071860d
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [hsm_key_factory_delete_key] looking for keys to purge from HSM
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [hsm_key_factory_get_key] removing key d2b792f3bba995a910ae88e8d071860d from HSM
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [enforcer] removeDeadKeys: keys deleted from HSM: 1
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [enforcer] update: key_data_update() failed
May 28 10:54:49 arn2-ops-sign01-p ods-enforcerd: [enforce_task] No changes to signconf file required for zone politie

      Because when ODS is restarted, it will try to use the old key, which is no longer available in the HSM and this will result in the following log lines:

      Jun 25 13:31:01 arn2-ops-sign01-p ods-signerd: [hsm] unable to get key: key d2b792f3bba995a910ae88e8d071860d not found
Jun 25 13:31:01 arn2-ops-sign01-p ods-signerd: [hsm] hsm_get_dnskey(): Got NULL key
Jun 25 13:31:01 arn2-ops-sign01-p ods-signerd: [hsm] unable to get key: hsm failed to create dnskey
Jun 25 13:31:01 arn2-ops-sign01-p ods-signerd: [zone] unable to prepare signing keys for zone politie: error getting dnskey
Jun 25 13:31:01 arn2-ops-sign01-p ods-signerd: [worker[3]] CRITICAL: failed to sign zone politie: General error

       

      I would expect the signconf to be updated when the key is removed from the HSM.

       

      Regards,

      Stefan Ubbink

        Attachments

          Activity

            People

            Assignee:
            berry Berry van Halderen
            Reporter:
            unixbeheer unixbeheer@sidn.nl
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: