11 Úno
2023
11 Úno
'23
11:42
>Good news JP, I have reproduced the issue with
Keyper HSM.
I'm glad you can reproduce it, Daniel. :)
I'm considering extending keymgr listing with the
keystore type.
that would be useful.
The problem isn't with HSM (of course it happens
with SoftHSM too) but in the configuration.
If the zone isn't configured, keymgr reads the defaults (PEM keystore). So you have to
add the
zone to the configuration before manual key generation or to set some policy with the
PKCS11
keystore in the default template.
That's what I did. In order:
1. Add the zone to the configuration. Don't reload yet.
2. keymgr generate to create the keys on the HSM. (If I do this before step 1, then the
keys are obvously created on the default PEM keystore.)
3. Transfer the zone
If I change the order of activities, I still have to retransfer at least once:
1. Add zone to configuration
2. Reload knot conf
2023-02-11T11:35:05+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53, started
2023-02-11T11:35:05+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53, finished,
0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:35:05+0100 error: [tt06.] DNSSEC, no keys are available
2023-02-11T11:35:05+0100 error: [tt06.] DNSSEC, failed to load keys (no keys for signing)
2023-02-11T11:35:05+0100 info: [tt06.] DNSSEC, next signing at 2023-02-11T12:35:05+0100
2023-02-11T11:35:05+0100 error: [tt06.] refresh, failed (no keys for signing)
2023-02-11T11:35:05+0100 error: [tt06.] zone event 'refresh' failed (no keys for
signing)
3. Generate keys on PKCS11
4. zone-retransfer tt06
2023-02-11T11:36:32+0100 info: [tt06.] control, received command
'zone-retransfer'
2023-02-11T11:36:32+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53, started
2023-02-11T11:36:32+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53, finished,
0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, key, tag 59128, algorithm RSASHA256,
public, active
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, key, tag 7376, algorithm RSASHA256, KSK,
public, active
2023-02-11T11:36:32+0100 error: [tt06.] DNSSEC, failed to load private keys (not exists)
2023-02-11T11:36:32+0100 error: [tt06.] DNSSEC, failed to load keys (not exists)
2023-02-11T11:36:32+0100 info: [tt06.] DNSSEC, next signing at 2023-02-11T12:36:32+0100
2023-02-11T11:36:32+0100 error: [tt06.] refresh, failed (not exists)
2023-02-11T11:36:32+0100 error: [tt06.] zone event 'refresh' failed (not exists)
5. restart server
2023-02-11T11:37:20+0100 info: [tt06.] failed to parse zone file 'tt06' (not
exists)
2023-02-11T11:37:20+0100 info: [tt06.] zone will be bootstrapped
6. zone-retransfer tt06
2023-02-11T11:37:57+0100 info: [tt06.] control, received command
'zone-retransfer'
2023-02-11T11:37:57+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53, started
2023-02-11T11:37:57+0100 info: [tt06.] AXFR, incoming, remote 192.168.33.31@53, finished,
0.00 seconds, 3 messages, 377 bytes
2023-02-11T11:37:57+0100 info: [tt06.] DNSSEC, key, tag 59128, algorithm RSASHA256,
public, active
2023-02-11T11:37:57+0100 info: [tt06.] DNSSEC, key, tag 7376, algorithm RSASHA256, KSK,
public, active
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, signing started
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, successfully signed
2023-02-11T11:37:58+0100 info: [tt06.] DNSSEC, next signing at 2023-02-25T10:37:58+0100
2023-02-11T11:37:58+0100 info: [tt06.] refresh, remote 192.168.33.31@53, zone updated,
0.45 seconds, serial none -> 2023010100, remote serial 2023010100, expires in 604800
seconds
2023-02-11T11:37:58+0100 info: [tt06.] zone file updated, serial 2023010100
Best regards,
-JP