[knot-dns-users] Re: public-only key makes DNSSEC signing fail

Hi Thomas, thanks much for your report! This is indeed a bug, which was introduced in Knot DNS version 3.0.6 (by fixing another bug...), and fixed unintentionally by implementing a feature in 3.1.0. I recommend that you work around by using any unaffected version, e.g. 3.1.7. Please let us know any following interesting findings. Thank you, Libor Dne 23. 04. 22 v 19:45 Daniel Salzman napsal(a): > Hi Thomas, > > what changed since the time when it worked? Still the same Knot version? > > Daniel > > On 4/22/22 23:12, Thomas wrote: >> Hi, >> >> for the transition of a TLD I need to import the current providers KSK into my zone. I use the "keymgr import-pub" command for this.  I have done that a few times in the past and it worked very well. >> >> I have now installed the most current version of Knot (3.0.10) and did the same procedure. But after importing the KSK the zone can't be signed anymore. It seems like Knot doesn't recognize that this imported key is a "public-only" key. Knot throws an error and complains that the private key could not be loaded. >> >> >> >> The zone's keys (.example) before the import of the KSK: >> >> # keymgr example list >> 0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595 algorithm=7  size=2048 public-only=no  pre-active=0 publish=1650495677 ready=1650495677 active=1650659051 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 >> 13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no  zsk=yes tag=05477 algorithm=7  size=1024 public-only=no  pre-active=0 publish=1650495677 ready=0 active=1650495677 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 >> >> >> Imported the KSK with the following command: >> >> # keymgr example import-pub /etc/knot/public.key >> 2c135e77b7f48475a837ad0d28a9459f0e7ce621 >> OK >> >> >> The zone's keys (.example) after the import of the KSK: >> >> # keymgr example list >> 0b94a3f9fef3ae531fc5ee1334ddd2876db7cd9a ksk=yes zsk=no tag=12595 algorithm=7  size=2048 public-only=no  pre-active=0 publish=1650495677 ready=1650495677 active=1650659051 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 >> 13cc082655ddf7160787ef945ad7edb6406bb70e ksk=no  zsk=yes tag=05477 algorithm=7  size=1024 public-only=no  pre-active=0 publish=1650495677 ready=0 active=1650495677 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 >> 2c135e77b7f48475a837ad0d28a9459f0e7ce621 ksk=yes zsk=no tag=35421 algorithm=7  size=2048 public-only=yes pre-active=0 publish=1650660072 ready=0 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 >> >> The imported key (tag 35421) has the flag "public-only=yes", as expected. >> >> >> But when I now sign the zone, the log shows this errors: >> >> >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] control, received command 'zone-sign' >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, dropping previous signatures, re-signing zone >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag 12595, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag 35421, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active+ >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, key, tag 5477, algorithm RSASHA1_NSEC3_SHA1, public, active >> Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed to load private keys (not exists) >> Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] DNSSEC, failed to load keys (not exists) >> Apr 22 20:43:24 lab-nic knotd[2831]: info: [example.] DNSSEC, next signing at 2022-04-22T21:43:24+0000 >> Apr 22 20:43:24 lab-nic knotd[2831]: error: [example.] zone event 'DNSSEC re-sign' failed (not exists) >> >> >> The imported key should not have the "active" flag: >> >> info: [example.] DNSSEC, key, tag 35421, algorithm RSASHA1_NSEC3_SHA1, KSK, public, active+ >> >> >> It seems to me that the imported key is not seen as a "public-only" key anymore and therefore Knot is looking for the corresponding private key, which of course fails. >> >> >> I attached an strace output, with the signing operation. But that doesn't seem to be helpful because the signing command itself doesn't fail. >> >> Thanks, >> Thomas >> >> -- > --