dnssec-signzone: fatal: cannot sign zone with non-private dnskey
Ivo
ivo at nic.lv
Tue Mar 22 14:46:08 UTC 2011
Hello,
I am trying to sign a zone(domain.nx) using Bind-9.7.3 with
PCKS11/OpenSC, I am able to generate key on smartcard using
(pkcs11-keygen) and export a meta-description info with
dnssec-keyfromlabel, however dnssec-signzone seem to have problem
finding a private key.
#./dnssec-signzone -E pkcs11 -N unixtime -r /dev/urandom -v 5 -o
domain.nx -a -A -H 2 -3 12345678 -t -k Kdomain.nx.+008+61097
domain.nx Kdomain.nx.+008+61096
dnssec-signzone: fatal: cannot sign zone with non-private dnskey
Kdomain.nx.+008+61096
---
This is how I exported key information from smarcard, slot 1 : keyID
# ./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a
RSASHA256 -f KSK domain.nx
Kdomain.nx.+008+61097
#./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a
RSASHA256 domain.nx
Kdomain.nx.+008+61096
#pkcs15-tool -D
Private RSA Key [test]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x0]
ModLength : 1024
Key ref : 1
Native : yes
Path : 3f005015
Auth ID : 01
ID : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c
Public RSA Key [test]
Object Flags : [0x2], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x0]
ModLength : 1024
Key ref : 0
Native : no
Path : 3f0050153000
ID : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c
Base64 encoded Label seem to match slot:keyID of the key on smartcard -
# more Kdomain.nx.+008+61096.private
Private-key-format: v1.3
Algorithm: 8 (RSASHA256)
Modulus:
rQTT+TTT+UZ5bHDgSXD9NYC7uuVm1VY8S1ssDgWnoM72xD1SHaKDcaF3YtDZ7FyvNGPwUC4nxIzCwJvhNEKbTqFvhTl1bovzMPdSZ/BfcQjYDJpDe8aF94woIIo
q5ryDPGx9ymo6qQ9hhOzN0IWMbUp9q0JgTC8QnJ9Vc+Rlsf0=
PublicExponent: AQAB
Engine: cGtjczExAA==
Label: MToyZmJlM2M1MGYwYjdmZDc2Zjg2YjllZmU2YTZiYjkzMzU0N2NlNThjAA==
Created: 20110322140421
Publish: 20110322140421
Activate: 20110322140421
#more Kdomain.nx.+008+61096.key
; This is a zone-signing key, keyid 61096, for domain.nx.
; Created: 20110322140421 (Tue Mar 22 16:04:21 2011)
; Publish: 20110322140421 (Tue Mar 22 16:04:21 2011)
; Activate: 20110322140421 (Tue Mar 22 16:04:21 2011)
domain.nx. IN DNSKEY 256 3 8
AwEAAa0E0/k00/lGeWxw4Elw/TWAu7rlZtVWPEtbLA4Fp6DO9sQ9Uh2i
g3Ghd2LQ2excrzRj8FAuJ8SMwsCb4TRCm06hb4U5dW6L8zD3UmfwX3EI
2AyaQ3vGhfeMKCCKKua8gzxsfcpqOqkPYYTszdCFjG1KfatCYEwvEJyf VXPkZbH9
Has anyone else had a similar problem with the signing tool?
Thanks,
Ivo
More information about the bind-users
mailing list