I am trying to import a public key generated by BIND into Knot, when using
the SoftHSM2 key store. I have the following pieces of information:
In my knot.conf file:
policy:
- id: SoftHSMRSAPolicy
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
ksk-lifetime: 7h
zsk-lifetime: 6h
dnskey-ttl: 12s
zone-max-ttl: 15s
keystore: SoftHSM
zone:
- domain: 00.mydomain.com
storage: /srv/knot
file: db.mydomain00
dnssec-signing: on
dnssec-policy: SoftHSMRSAPolicy
The public key is in a file named pubkey, and has the following contents:
; This is a zone-signing key, keyid 14694, for 00.mydomain.com.
; Created: 20211109192137 (Tue Nov 9 12:21:37 2021)
; Publish: 20211109192137 (Tue Nov 9 12:21:37 2021)
; Activate: 20211109192137 (Tue Nov 9 12:21:37 2021)
00.mydomain.com. IN DNSKEY 256 3 8 AwEAAd1XmDMiF4/WWW+lneSg2hScxQl
TJHU/cIyBnDJDnW3MFkuyR7e+y3UqZScTXz5tfcGkDYGpqFqZ3+RgyN7A3ZAC3RsayivUuE9lec25IT97
jPZaTsHUjalDQjXkBhCIHBb79vVsz0SMZOeez78qzhRtpdkFYVNRcAW4EZVgdQAdiuJGeDEuxsaTkRnLwujnaqURyAzevqfQfjz319CPsYr4tN4K9nu2Fc0Sh+b5pdM6ejRieLnUUgZpuefRfgsSHJQErNe
FevdtihLpq93r
E5OARwmK0c4vyzgpmREloMJlwV+lrZdlKqZnnIZIXgkD+59Tjh0XZ72exdvonun4uG8=
(The DNSKEY record is in a single line.)
The command I am using to import this key is
# ./keymgr 00.mydomain.com. import-pub ./pubkey
This spins for a few seconds and then prints out:
Error: file error
Any ideas as to what it is that I am doing wrong?
The command that I am invoking to import this public key is the following:
I have been trying to get a better understanding concerning the information
Knot stores in its KASP. Knot adds new key information into the KASP by
means of the kasp_db_add_key function. One of the arguments to this
function is a pointer to a key_params_t structure, one of whose members is
called is_pub_only. This would seem to imply that the KASP may contain
information about key pairs such that only the public component of the key
pair is available to Knot.
Under what set of circumstances would such a key be stored in the KASP?
Since they are used for signing RRs, any KSKs and ZSKs in the KASP have to
be complete, in that both the private and the public components are
available to Knot (I know that the private component itself is not present
in the KASP, but that's OK). A KASP key for which the private component is
not available could be used for verifying signatures - but that's not
something that Knot does, right?
So, under what set circumstances would Knot add a key to the KASP such that
the is_pub_only member is set to true?
Hi,
I'm trying to dig into the dns-benchmark tools, but am running into a
few issues. I realized that it requires some specific settings, like
/home/dnsbench seems to be hardcoded for the logs somehow, and it being
run as root, but now I see a lot of syntax error message flooding me,
with lines in between about that hostname is an invalid number:
standard_in) 2: syntax error
(standard_in) 2: syntax error
(standard_in) 2: syntax error
(standard_in) 2: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
(standard_in) 1: syntax error
/tmp/benchmark-1636019360/modules/responses.sh: line 170: printf:
hostname: invalid number
knot2 ssh: % answered for Could q/s, not B avg (resolve a/s, 0 B avg)
(repeated output)
Anyone else using the tools and potentially can give me a prod in the
right direction? We'd like to check how knot performs in our
environment with the systems we have at hand.
Thanks in advance for any advice,
Rhonda
