dnssec-signzone: fatal: cannot sign zone with non-private dnskey

Ivo ivo at nic.lv
Tue Mar 22 14:46:08 UTC 2011 

Hello,

I am trying to sign a zone(domain.nx) using Bind-9.7.3 with
PCKS11/OpenSC, I am able to generate key on smartcard using
(pkcs11-keygen) and export a meta-description info with
dnssec-keyfromlabel, however dnssec-signzone seem to have problem
finding a private key.

#./dnssec-signzone -E pkcs11  -N unixtime  -r /dev/urandom  -v 5   -o 
domain.nx  -a -A  -H 2 -3 12345678 -t  -k Kdomain.nx.+008+61097
domain.nx Kdomain.nx.+008+61096

dnssec-signzone: fatal: cannot sign zone with non-private dnskey
Kdomain.nx.+008+61096

---

This is how I exported key information from smarcard, slot 1 : keyID

# ./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a
RSASHA256 -f KSK domain.nx
Kdomain.nx.+008+61097
#./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a
RSASHA256  domain.nx
Kdomain.nx.+008+61096

#pkcs15-tool -D

Private RSA Key [test]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0xC], sign, signRecover
        Access Flags   : [0x0]
        ModLength      : 1024
        Key ref        : 1
        Native         : yes
        Path           : 3f005015
        Auth ID        : 01
        ID             : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c

Public RSA Key [test]
        Object Flags   : [0x2], modifiable
        Usage          : [0xC0], verify, verifyRecover
        Access Flags   : [0x0]
        ModLength      : 1024
        Key ref        : 0
        Native         : no
        Path           : 3f0050153000
        ID             : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c


Base64 encoded Label seem to match slot:keyID of the key on smartcard -

# more Kdomain.nx.+008+61096.private
Private-key-format: v1.3
Algorithm: 8 (RSASHA256)
Modulus:
rQTT+TTT+UZ5bHDgSXD9NYC7uuVm1VY8S1ssDgWnoM72xD1SHaKDcaF3YtDZ7FyvNGPwUC4nxIzCwJvhNEKbTqFvhTl1bovzMPdSZ/BfcQjYDJpDe8aF94woIIo
q5ryDPGx9ymo6qQ9hhOzN0IWMbUp9q0JgTC8QnJ9Vc+Rlsf0=
PublicExponent: AQAB
Engine: cGtjczExAA==
Label: MToyZmJlM2M1MGYwYjdmZDc2Zjg2YjllZmU2YTZiYjkzMzU0N2NlNThjAA==
Created: 20110322140421
Publish: 20110322140421
Activate: 20110322140421

#more Kdomain.nx.+008+61096.key
; This is a zone-signing key, keyid 61096, for domain.nx.
; Created: 20110322140421 (Tue Mar 22 16:04:21 2011)
; Publish: 20110322140421 (Tue Mar 22 16:04:21 2011)
; Activate: 20110322140421 (Tue Mar 22 16:04:21 2011)
domain.nx. IN DNSKEY 256 3 8
AwEAAa0E0/k00/lGeWxw4Elw/TWAu7rlZtVWPEtbLA4Fp6DO9sQ9Uh2i
g3Ghd2LQ2excrzRj8FAuJ8SMwsCb4TRCm06hb4U5dW6L8zD3UmfwX3EI
2AyaQ3vGhfeMKCCKKua8gzxsfcpqOqkPYYTszdCFjG1KfatCYEwvEJyf VXPkZbH9

Has anyone else had a similar problem with the signing tool?

Thanks,

Ivo

More information about the bind-users mailing list