Discussion:
[Opendnssec-user] how to match/correlate key's CKA_ID & PUBKEY?
PGNet Dev
2017-02-22 17:23:08 UTC
Permalink
For a given list of keys in an ODS2 db,

ods-enforcer key list -v
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
example.com KSK retire waiting for ds-gone 384 14 d2f... SoftHSM 91234
example.com KSK retire waiting for ds-gone 384 14 9f1... SoftHSM 13454
example.com KSK retire waiting for ds-gone 384 14 50d... SoftHSM 4215
example.com KSK retire waiting for ds-gone 384 14 f90... SoftHSM 69524
example.com KSK retire waiting for ds-gone 384 14 4f8... SoftHSM 64511
example.com ZSK retire 2017-02-22 09:43:07 384 14 081... SoftHSM 7944
example.com KSK ready waiting for ds-seen 384 14 850... SoftHSM 47635
example.com ZSK retire 2017-02-22 09:43:07 384 14 b5f... SoftHSM 2524
example.com ZSK ready 2017-02-22 09:43:07 384 14 853... SoftHSM 33745

ods-enforcer key list -d
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
example.com KSK unretentive omnipresent omnipresent NA 1 1 d2f...
example.com KSK unretentive hidden hidden NA 0 0 9f1...
example.com KSK unretentive hidden hidden NA 0 0 50d...
example.com KSK unretentive hidden hidden NA 0 0 f90...
example.com KSK unretentive hidden hidden NA 0 0 4f8...
example.com ZSK NA hidden NA hidden 0 0 081...
example.com KSK rumoured omnipresent omnipresent NA 1 1 850...
example.com ZSK NA omnipresent NA unretentive 1 0 b5f...
example.com ZSK NA omnipresent NA rumoured 1 1 853...

how do you find/export the public key for a specified CKA_ID?

unlike `key import`

key import
--cka_id <CKA_ID> aka -k
--repository <repository> aka -r
--zone <zone> aka -z
--bits <size> aka -b
--algorithm <algorithm> aka -g
--keystate <state> aka -e
--keytype <type> aka -t
--inception_time <time> aka -w

which provides a --cka-id flag, `key export` does not appear to provide a method to correlate cka_id to public_key,

key export
--zone <zone> | --all aka -z | -a
--keystate <state> aka -e
--keytype <type> aka -t
[--ds [--sha1]] aka -d [-s]

ods-enforcer key export --all
example.com. 300 IN DNSKEY 257 3 14 YJ9...
example.com. 300 IN DNSKEY 257 3 14 jbP...
example.com. 300 IN DNSKEY 257 3 14 TQ0...
example.com. 300 IN DNSKEY 257 3 14 Veo...
example.com. 300 IN DNSKEY 257 3 14 M2u...
example.com. 300 IN DNSKEY 257 3 14 Lj1...
PGNet Dev
2017-02-22 18:59:53 UTC
Permalink
Post by PGNet Dev
how do you find/export the public key for a specified CKA_ID?
You can't do that as each CKA_ID may be allocated to DNSKEY in different
zones.
jakob
Then I'm missing something ...

How _do_ you manually clean up a mis-published key from both observer & its 'match' in the ods DB?

E.g., if @ an external observer, I identify a DNSKEY I want removed,

dig DNSKEY example.com | grep 257
example.com. 300 IN DNSKEY 257 3 14 YJ9...
example.com. 300 IN DNSKEY 257 3 14 UWB... <====== WANT TO PURGE THIS KEY

Which one of these

ods-enforcer key list -d
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
example.com KSK unretentive omnipresent omnipresent NA 1 1 d2f...
example.com KSK unretentive hidden hidden NA 0 0 9f1...
example.com KSK unretentive hidden hidden NA 0 0 50d...
example.com KSK unretentive hidden hidden NA 0 0 f90...
example.com KSK unretentive hidden hidden NA 0 0 4f8...
example.com ZSK NA hidden NA hidden 0 0 081...
example.com KSK rumoured omnipresent omnipresent NA 1 1 850...
example.com ZSK NA omnipresent NA unretentive 1 0 b5f...
example.com ZSK NA omnipresent NA rumoured 1 1 853...

do I delete/purge ?
Yuri Schaeffer
2017-02-22 22:14:17 UTC
Permalink
Hi,
Post by PGNet Dev
dig DNSKEY example.com | grep 257
example.com. 300 IN DNSKEY 257 3 14 YJ9...
example.com. 300 IN DNSKEY 257 3 14 UWB... <====== WANT TO PURGE THIS KEY
Try
dig example.com DNSKEY +rrcomments
It'll show you the keytag.

//Yuri

Loading...