<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Keys will not be reused if they are
      marked as retired or dead for any of the zones that are using /
      have used them.<br>
      <br>
      Is it possible that a zone has been deleted from this policy? That
      would mark its keys as dead and so make them ineligible for
      further use. (The idea is that if you keep adding zones then the
      keys could get really out of sync unless this is done.)<br>
      <br>
      Sion<br>
      <br>
      <br>
      On 23/07/12 09:17, 刘硕 wrote:<br>
    </div>
    <blockquote cite="mid:20120723161742064683317@126.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <style>
BLOCKQUOTE {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
P {
        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
BODY {
        LINE-HEIGHT: 1.5; FONT-FAMILY: 宋体; COLOR: #000000; FONT-SIZE: 10.5pt
}
</style>
      <meta name="GENERATOR" content="MSHTML 8.00.6001.18702">
      <div>Hi all,</div>
      <div>I'm trying to maintain multiple zones with the same keys, I
        configured the policy with ShareKeys valid.</div>
      <div>Zone example, example2 and example3 share the keys
        correctly,but when I tried to add the large zone example4 again,
        some interesting hint came up:</div>
      <div>
        <div>[root@CST-BJ-104:/var/opendnssec/unsigned]$ods-ksmutil zone add -z example4 -p lab</div>
        <div>zonelist filename set to /etc/opendnssec/zonelist.xml.</div>
        <div>Not enough keys to satisfy ksk policy for zone: example4 </div>
        <div>ods-enforcerd will create some more keys on its next run</div>
        <div>Error allocating ksks to zone example4</div>
        <div>Failed to Link Keys to zone</div>
        <div>Imported zone: example4</div>
      </div>
      <div>
        <div> </div>
        <div>So I triey to import a not-exist zone named example5 to see
          what keys would it use, and it turned out that it would share
          the keys newly created when adding example4. Do that make
          sense? Do not all zones share the same KSK and ZSKs?</div>
        <div>[root@CST-BJ-104:/var/opendnssec/unsigned]$ods-ksmutil key list -v</div>
        <div>SQLite database set to: /var/opendnssec/kasp.db</div>
        <div>/var/opendnssec/kasp.db.our_lock already locked, sleep</div>
        <div>Keys:</div>
        <div>Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:</div>
        <div>example                         KSK           active    2013-07-05 20:48:04 (retire)   2048    8           4f6800a714b360cacaef8f7705b296f4  SoftHSM                           3224</div>
        <div>example                         ZSK           retire    2012-07-23 17:15:52 (dead)     1024    8           d4da5c39adce4b840d9e554d28c43b1b  SoftHSM                           3906</div>
        <div>example                         ZSK           active    2012-07-23 20:04:52 (retire)   1024    8           f1296491876d3d149c0583159a60bab3  SoftHSM                           4711</div>
        <div>example3                        KSK           active    2013-07-19 13:14:27 (retire)   2048    8           4f6800a714b360cacaef8f7705b296f4  SoftHSM                           3224</div>
        <div>example3                        ZSK           retire    2012-07-23 17:15:53 (dead)     1024    8           d4da5c39adce4b840d9e554d28c43b1b  SoftHSM                           3906</div>
        <div>example3                        ZSK           active    2012-07-23 20:04:53 (retire)   1024    8           f1296491876d3d149c0583159a60bab3  SoftHSM                           4711</div>
        <div>example2                        KSK           active    2013-07-19 13:12:27 (retire)   2048    8           4f6800a714b360cacaef8f7705b296f4  SoftHSM                           3224</div>
        <div>example2                        ZSK           retire    2012-07-23 17:15:53 (dead)     1024    8           d4da5c39adce4b840d9e554d28c43b1b  SoftHSM                           3906</div>
        <div>example2                        ZSK           active    2012-07-23 20:04:53 (retire)   1024    8           f1296491876d3d149c0583159a60bab3  SoftHSM                           4711</div>
        <div>example4                        ZSK           active    2012-07-23 20:04:53 (retire)   1024    8           d4da5c39adce4b840d9e554d28c43b1b  SoftHSM                           3906</div>
        <div>example4                        KSK           publish   2012-07-23 16:20:53 (ready)    2048    8           fd2c2f51f36b60a5dad981a9c419e722  SoftHSM                           61157</div>
        <div>example5                        ZSK           active    2012-07-23 20:06:48 (retire)   1024    8           f1296491876d3d149c0583159a60bab3  SoftHSM                           4711</div>
        <div>example5                        KSK           publish   2012-07-23 16:22:48 (ready)    2048    8           fd2c2f51f36b60a5dad981a9c419e722  SoftHSM                           61157</div>
      </div>
      <div> </div>
      <div>Best regards,</div>
      <div>Stuart</div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Opendnssec-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>