Discussion:
[Opendnssec-user] moving zone from lab to default
Fredrik Thulin
2016-03-31 07:36:47 UTC
Permalink
Hi

I have a opendnssec 1.4.6 setup with a KSK in a Yubikey NEO.

The Yubikey has limited space for keys, and the current p11 module doesn't
support key generation, so I have a single KSK in the Yubikey and a second
SoftHSM repository for ZSKs.

I created my first zone example.net in policy "lab" and imported the KSK in
the Yubikey like this:

ods-ksmutil key import --cka_id 01 --repository YubiKeyNEO4PIV \
--bits 2048 --algorithm 8 --keystate active --keytype KSK \
--time 20260309 --zone example.net

A ods-ksmutil key list --verbose shows me this (date and CKA_ID shortened to
make it fit in e-mail):

Keys:
Zone: Keytype: State: Date: Size: Alg: CKA_ID: Repository: Keytag:
example.net KSK active 2026 2048 8 01 YubiKeyNEO4PIV 10369
example.net ZSK active 2016 2048 8 85631b...2 SoftHSM 43338

When I was happy with it, I got my DS records published in the .net zone and
after that I wanted to move the zone to policy default. Turns out, keys are
secretly associated with policys for some reason, so opendnssec wanted to
generate a new KSK but failed since the YubikeyNEO4PIV repository doesn't
support key generation. I did not want to generate new KSKs.

How should one go about moving a zone from one policy to another? Don't tell
me how to do it in sqlite3, I've already figured that out ;).

/Fredrik
Yuri Schaeffer
2016-03-31 08:25:52 UTC
Permalink
Hi Fredrik,
Post by Fredrik Thulin
When I was happy with it, I got my DS records published in the .net zone
and after that I wanted to move the zone to policy default. Turns out,
keys are secretly associated with policys for some reason, so opendnssec
wanted to generate a new KSK but failed since the YubikeyNEO4PIV
repository doesn't support key generation. I did not want to generate
new KSKs.
As far as I know OpenDNSSEC 1.x does not support this kind of operation.
Keys are linked to a policy since the policy dictates their parameters
and more important lifetime and TTL's.
Post by Fredrik Thulin
How should one go about moving a zone from one policy to another? Don't
tell me how to do it in sqlite3, I've already figured that out ;).
This is IMHO your best/only option.

regards,
Yuri
Fredrik Thulin
2016-03-31 08:44:16 UTC
Permalink
Post by Yuri Schaeffer
Hi Fredrik,
Post by Fredrik Thulin
When I was happy with it, I got my DS records published in the .net zone
and after that I wanted to move the zone to policy default. Turns out,
keys are secretly associated with policys for some reason, so opendnssec
wanted to generate a new KSK but failed since the YubikeyNEO4PIV
repository doesn't support key generation. I did not want to generate
new KSKs.
As far as I know OpenDNSSEC 1.x does not support this kind of operation.
Keys are linked to a policy since the policy dictates their parameters
and more important lifetime and TTL's.
Thank you for the quick response. It would have been easier to understand that
if "ods-ksmutil key import" took a --policy rather than --zone.

Does <ShareKeys/> span policys? How come ShareKeys appears to be a setting for
all keys of all types, and not a setting per repository or key-type?

/Fredrik
Yuri Schaeffer
2016-03-31 09:55:26 UTC
Permalink
Post by Fredrik Thulin
Thank you for the quick response. It would have been easier to
understand that if "ods-ksmutil key import" took a --policy rather than
--zone.
Generally when importing keys you want to tie them to a specific zone.
Post by Fredrik Thulin
Does <ShareKeys/> span policys? How come ShareKeys appears to be a
setting for all keys of all types, and not a setting per repository or
key-type?
No, it doesn't span multiple policies. It does apply on all keys of that
particular policy. I don't know about any design decisions for this though.

//Yuri

Loading...