Hello,
I upgraded my signing server to Debian 13, but I have a problem with my HSM :
Oct 15 21:09:18 arrakeen knotd[29552]: error: [durel.org.] zone event 'load' failed (PKCS #11 token not available)
Oct 15 21:09:18 arrakeen knotd[29552]: error: [geekwu.org.] zone event 'load' failed (PKCS #11 token not available)
keymgr gives me the same error :
# keymgr geekwu.org list
error: failed to initialize KASP (PKCS #11 token not available)
despite hsmwiz being able to access the key :
# hsmwiz identify
Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000 ) 00 00
Version : 3.4
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Default SO-PIN: 3537363231383830 Default PIN: 648219
Now executing: pkcs15-tool --dump
Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000 ) 00 00
PKCS#15 Card [knot]:
Version : 0
Serial number : DENK0106796
Manufacturer ID: www.CardContact.de
Flags : PRN generation[...]
Public EC Key [Private Key]
Object Flags : [0x00]
Usage : [0x140], verify, derive
Access Flags : [0x02], extract
FieldLength : 384
Key ref : 0 (0x00)
Native : no
ID : 74f59bc17317bfccc5806108d84df1abd275faef
DirectValue : <present>
Knot is using this keystore :
keystore:
- id: nitrokey
backend: pkcs11
config: "pkcs11:pin-value=*** /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"
I verified /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so still exists, and ldd doesn't report any missing dependency
strace let me see communication with pcscd, whose logs have these :
Oct 15 21:20:14 arrakeen systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon.
Oct 15 21:20:20 arrakeen pcscd[33186]: 00000000 ../src/auth.c:166:IsClientAuthorized() Process 33204 (user: 134) is NOT authorized for action: access_pcsc
Oct 15 21:20:20 arrakeen pcscd[33186]: 00000071 ../src/winscard_svc.c:357:ContextThread() Rejected unauthorized PC/SC client
After a bit of digging, I found it's controlled by polkit, and added a brutal rule :
cat /etc/polkit-1/rules.d/pcsc.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
polkit.addRule(function(action, subject) { if (subject.isInGroup("pcsc")) { return polkit.Result.YES; } })
with knot added to the pcsc group, it can access the HSM again.
Do you know of a better way to configure ?
NB: I'm using another account, as I began to write this with no DNS server running
Regards,
--
Bastien Durel
Hi
We recently tried to upgrade to knot 3.5.0, but ran into a problem. It appears zones added via `conf-set include` are not working until knot is reloaded.
So to reduce calls to knotc when inserting a number of domains, we build a config fragment and then use `knotc conf-set include fragment.conf` to load it
With 3.4.8 this worked fine. For example:
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock status version
3.4.8
# dig +short foo.com @10.37.129.215 SOA
# cat > /local/knot_dns/zones/foo.com.zone <<EOF
foo.com. 3600 IN SOA ( ns1.fastmaildev.com.
postmaster.fastmaildev.com.
2025091802 ;serial
86133 ;refresh
600 ;retry
1209600 ;expire
3600 ;minimum
)
foo.com. 3600 IN NS ns1.fastmaildev.com.
foo.com. 3600 IN NS ns2.fastmaildev.com.
EOF
# cat > /tmp/zone.conf <<EOF
zone:
- domain: foo.com
template: "default"
EOF
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock conf-begin
OK
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock conf-set include /tmp/zone.conf
OK
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock conf-commit
OK
# dig +short foo.com @10.37.129.215 SOA
ns1.fastmaildev.com. postmaster.fastmaildev.com. 2025091802 86133 600 1209600 3600
As you can see, immediately after the `conf-commit`, the zone can be queried via dig.
However this doesn't work in 3.5.0.
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock status version
3.5.0
# dig +short foo2.com @10.37.129.215 SOA
# cat > /local/knot_dns/zones/foo2.com.zone <<EOF
foo2.com. 3600 IN SOA ( ns1.fastmaildev.com.
postmaster.fastmaildev.com.
2025091802 ;serial
86133 ;refresh
600 ;retry
1209600 ;expire
3600 ;minimum
)
foo2.com. 3600 IN NS ns1.fastmaildev.com.
foo2.com. 3600 IN NS ns2.fastmaildev.com.
EOF
# cat > /tmp/zone.conf <<EOF
zone:
- domain: foo2.com
template: "default"
EOF
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock conf-begin
OK
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock conf-set include /tmp/zone.conf
OK
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock conf-commit
OK
# dig +short foo2.com @10.37.129.215 SOA
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock zone-status foo2.com
error: [foo2.com] (no such zone found)
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock zone-reload foo2.com
error: [foo2.com] (no such zone found)
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock zone-check foo2.com
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock reload
Reloaded
# dig +short foo2.com @10.37.129.215 SOA
ns1.fastmaildev.com. postmaster.fastmaildev.com. 2025091802 86133 600 1209600 3600
# /opt/knot/sbin/knotc -C /local/knot_dns/conf/ -s /run/knot_dns/knot_dns.sock zone-status foo2.com
[foo2.com.] role: master | serial: 2025091802
As you can see, after the `conf-commit` the zone isn't visible in knot at all, either via dig or even via knotc commands `zone-status` or `zone-reload`. However immediately after a knot server `reload`, it does become visible.
This feels like a bug and regression in 3.5.0 to me, or am I holding something wrong?
Rob Mueller
robm(a)fastmail.com
