Hi,
for the transition of a TLD I need to import the current providers KSK
into my zone. I use the "keymgr import-pub" command for this. I have
done that a few times in the past and it worked very well.
I have now installed the most current version of Knot (3.0.10) and did
the same procedure. But after importing the KSK the zone can't be signed
anymore. It seems like Knot doesn't recognize that this imported key is
a "public-only" key. Knot throws an error and complains that the private
key could not be loaded.
The zone's keys (.example) before the import of the KSK:
# keymgr example list
0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595
algorithm=7 size=2048 public-only=no pre-active=0 publish=1650495677
ready=1650495677 active=1650659051 retire-active=0 retire=0
post-active=0 revoke=0 remove=0
13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no zsk=yes tag=05477
algorithm=7 size=1024 public-only=no pre-active=0 publish=1650495677
ready=0 active=1650495677 retire-active=0 retire=0 post-active=0
revoke=0 remove=0
Imported the KSK with the following command:
# keymgr example import-pub /etc/knot/public.key
2c135e77b7f48475a837ad0d28a9459f0e7ce621
OK
The zone's keys (.example) after the import of the KSK:
# keymgr example list
0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595
algorithm=7 size=2048 public-only=no pre-active=0 publish=1650495677
ready=1650495677 active=1650659051 retire-active=0 retire=0
post-active=0 revoke=0 remove=0
13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no zsk=yes tag=05477
algorithm=7 size=1024 public-only=no pre-active=0 publish=1650495677
ready=0 active=1650495677 retire-active=0 retire=0 post-active=0
revoke=0 remove=0
2c135e77b7f48475a837ad0d28a9459f0e7ce621 ksk=yes zsk=no tag=35421
algorithm=7 size=2048 public-only=yes pre-active=0 publish=1650660072
ready=0 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
The imported key (tag 35421) has the flag "public-only=yes", as expected.
But when I now sign the zone, the log shows this errors:
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] control, received
command 'zone-sign'
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, dropping
previous signatures, re-signing zone
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag
12595, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag
35421, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active+
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag
5477, algorithm RSASHA1_NSEC3_SHA1, public, active
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed to
load private keys (not exists)
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed to
load keys (not exists)
Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, next
signing at 2022-04-22T21:43:24+0000
Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] zone event
'DNSSEC re-sign' failed (not exists)
The imported key should not have the "active" flag:
info: [example.] DNSSEC, key, tag 35421, algorithm RSASHA1_NSEC3_SHA1,
KSK, public, active+
It seems to me that the imported key is not seen as a "public-only" key
anymore and therefore Knot is looking for the corresponding private key,
which of course fails.
I attached an strace output, with the signing operation. But that
doesn't seem to be helpful because the signing command itself doesn't fail.
Thanks,
Thomas