[Opendnssec-develop] Standby key issue
sion at nominet.org.uk
sion at nominet.org.uk
Mon Oct 26 15:55:13 UTC 2009
> In my kasp.xml, I have :
>
> <KSK>
> <Algorithm length="2048">5</Algorithm>
> <Lifetime>PT40M</Lifetime>
> <Repository>softHSM</Repository>
> <Standby>1</Standby>
> </KSK>
>
> This means there should always be one prepublished KSK.
>
> In the resultant zone file, there is only one KSK, which is used to
> sign the zone. So, the auditor is complaining that there should be
> an additional prepublished KSK (1 Standby).
>
> Is the auditor right? If so, which component should this story be aimed
at?
Yes, the auditor is correct.
If 2 ksks are defined in the signconf xml file (the location is defined in
the SignerConfiguration tag of zonelist.xml) then the issue is somewhere in
the signer.
Otherwise it is in the enforcer; note though that if you have
ManualKeyGeneration turned on (in conf.xml) then there may not be enough
keys generated to satisfy the policy. The enforcer should have logged
something to syslog if it has run out of keys.
Sion
More information about the Opendnssec-develop
mailing list