[knot-dns-users] Re: public-only key makes DNSSEC signing fail

Hi Thomas, thanks much for your report! This is indeed a bug, which was introduced in Knot DNS version 3.0.6 (by fixing another bug...), and fixed unintentionally by implementing a feature in 3.1.0. I recommend that you work around by using any unaffected version, e.g. 3.1.7. Please let us know any following interesting findings. Thank you, Libor Dne 23. 04. 22 v 19:45 Daniel Salzman napsal(a): > Hi Thomas, > > what changed since the time when it worked? Still the same Knot version? > > Daniel > > On 4/22/22 23:12, Thomas wrote: >> Hi, >> >> for the transition of a TLD I need to import the current providers >> KSK into my zone. I use the "keymgr import-pub" command for this.  I >> have done that a few times in the past and it worked very well. >> >> I have now installed the most current version of Knot (3.0.10) and >> did the same procedure. But after importing the KSK the zone can't be >> signed anymore. It seems like Knot doesn't recognize that this >> imported key is a "public-only" key. Knot throws an error and >> complains that the private key could not be loaded. >> >> >> >> The zone's keys (.example) before the import of the KSK: >> >> # keymgr example list >> 0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595 >> algorithm=7  size=2048 public-only=no  pre-active=0 >> publish=1650495677 ready=1650495677 active=1650659051 retire-active=0 >> retire=0 post-active=0 revoke=0 remove=0 >> 13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no  zsk=yes tag=05477 >> algorithm=7  size=1024 public-only=no  pre-active=0 >> publish=1650495677 ready=0 active=1650495677 retire-active=0 retire=0 >> post-active=0 revoke=0 remove=0 >> >> >> Imported the KSK with the following command: >> >> # keymgr example import-pub /etc/knot/public.key >> 2c135e77b7f48475a837ad0d28a9459f0e7ce621 >> OK >> >> >> The zone's keys (.example) after the import of the KSK: >> >> # keymgr example list >> 0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595 >> algorithm=7  size=2048 public-only=no  pre-active=0 >> publish=1650495677 ready=1650495677 active=1650659051 retire-active=0 >> retire=0 post-active=0 revoke=0 remove=0 >> 13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no  zsk=yes tag=05477 >> algorithm=7  size=1024 public-only=no  pre-active=0 >> publish=1650495677 ready=0 active=1650495677 retire-active=0 retire=0 >> post-active=0 revoke=0 remove=0 >> 2c135e77b7f48475a837ad0d28a9459f0e7ce621 ksk=yes zsk=no tag=35421 >> algorithm=7  size=2048 public-only=yes pre-active=0 >> publish=1650660072 ready=0 active=0 retire-active=0 retire=0 >> post-active=0 revoke=0 remove=0 >> >> The imported key (tag 35421) has the flag "public-only=yes", as >> expected. >> >> >> But when I now sign the zone, the log shows this errors: >> >> >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] control, >> received command 'zone-sign' >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, >> dropping previous signatures, re-signing zone >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, >> tag 12595, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, >> tag 35421, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active+ >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, >> tag 5477, algorithm RSASHA1_NSEC3_SHA1, public, active >> Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed >> to load private keys (not exists) >> Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed >> to load keys (not exists) >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, next >> signing at 2022-04-22T21:43:24+0000 >> Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] zone event >> 'DNSSEC re-sign' failed (not exists) >> >> >> The imported key should not have the "active" flag: >> >> info: [example.] DNSSEC, key, tag 35421, algorithm >> RSASHA1_NSEC3_SHA1, KSK, public, active+ >> >> >> It seems to me that the imported key is not seen as a "public-only" >> key anymore and therefore Knot is looking for the corresponding >> private key, which of course fails. >> >> >> I attached an strace output, with the signing operation. But that >> doesn't seem to be helpful because the signing command itself doesn't >> fail. >> >> Thanks, >> Thomas >> >> -- > --