[Opendnssec-user] Key pregeneration in shared-key policies
Rick van Rein
rick at openfortress.nl
Fri Sep 10 12:58:54 UTC 2010
Hello Sion,
If I try to pregenerate keys on policies with
ods-ksmutil key generate --policy X --interval P30D
then I would expect to see enough keys to last 30 days.
Our policies use shared keys, could that be the reason
why we're not seeing keys generated? Also, the problem
of not generating keys occurs on those that have no zones
assigned. I'm looking in the MySQL database for this.
What I've noticed is that the dnsseckeys table mentions
zone_id and not a policy_id; so if a policy has no zones
it could not have a record in there. OTOH, in the
keypairs table this would be possible, as it does
mention a policy_id.
What we're trying to do is pregenerate key pairs for
each policy, so the first zone that is registered under
it can immediately be signed, without the need to wait
for the backup procedure. IOW, this is a bit of a nuisance
but not an emergency of any kind.
Any light you can shed on this is welcome.
Thanks,
Rick van Rein
for SURFnet
More information about the Opendnssec-user
mailing list