<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<STYLE>
BLOCKQUOTE {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
BODY {
LINE-HEIGHT: 1.5; FONT-FAMILY: ËÎÌå; COLOR: #000000; FONT-SIZE: 10.5pt
}
</STYLE>
<META name=GENERATOR content="MSHTML 8.00.6001.18702"></HEAD>
<BODY style="MARGIN: 10px">
<DIV>Hi all,</DIV>
<DIV>I'm trying to maintain multiple zones with the same keys, I configured the
policy with ShareKeys valid.</DIV>
<DIV>Zone example, example2 and example3 share the keys correctly,but when I
tried to add the large zone example4 again, some interesting hint came up:</DIV>
<DIV>
<DIV>[root@CST-BJ-104:/var/opendnssec/unsigned]$ods-ksmutil zone add -z example4 -p lab</DIV>
<DIV>zonelist filename set to /etc/opendnssec/zonelist.xml.</DIV>
<DIV>Not enough keys to satisfy ksk policy for zone: example4
</DIV>
<DIV>ods-enforcerd will create some more keys on its next run</DIV>
<DIV>Error allocating ksks to zone example4</DIV>
<DIV>Failed to Link Keys to zone</DIV>
<DIV>Imported zone: example4</DIV></DIV>
<DIV>
<DIV> </DIV>
<DIV>So I triey to import a not-exist zone named example5 to see what keys would
it use, and it turned out that it would share the keys newly created when adding
example4. Do that make sense? Do not all zones share the same KSK and
ZSKs?</DIV>
<DIV>[root@CST-BJ-104:/var/opendnssec/unsigned]$ods-ksmutil key list -v</DIV>
<DIV>SQLite database set to: /var/opendnssec/kasp.db</DIV>
<DIV>/var/opendnssec/kasp.db.our_lock already locked, sleep</DIV>
<DIV>Keys:</DIV>
<DIV>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</DIV>
<DIV>example KSK active 2013-07-05 20:48:04 (retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM 3224</DIV>
<DIV>example ZSK retire 2012-07-23 17:15:52 (dead) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM 3906</DIV>
<DIV>example ZSK active 2012-07-23 20:04:52 (retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM 4711</DIV>
<DIV>example3 KSK active 2013-07-19 13:14:27 (retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM 3224</DIV>
<DIV>example3 ZSK retire 2012-07-23 17:15:53 (dead) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM 3906</DIV>
<DIV>example3 ZSK active 2012-07-23 20:04:53 (retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM 4711</DIV>
<DIV>example2 KSK active 2013-07-19 13:12:27 (retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM 3224</DIV>
<DIV>example2 ZSK retire 2012-07-23 17:15:53 (dead) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM 3906</DIV>
<DIV>example2 ZSK active 2012-07-23 20:04:53 (retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM 4711</DIV>
<DIV>example4 ZSK active 2012-07-23 20:04:53 (retire) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM 3906</DIV>
<DIV>example4 KSK publish 2012-07-23 16:20:53 (ready) 2048 8 fd2c2f51f36b60a5dad981a9c419e722 SoftHSM 61157</DIV>
<DIV>example5 ZSK active 2012-07-23 20:06:48 (retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM 4711</DIV>
<DIV>example5 KSK publish 2012-07-23 16:22:48 (ready) 2048 8 fd2c2f51f36b60a5dad981a9c419e722 SoftHSM 61157</DIV></DIV>
<DIV> </DIV>
<DIV>Best regards,</DIV>
<DIV>Stuart</DIV></BODY></HTML>