[Opendnssec-user] key management bug / operator error

Paul Wouters paul at nohats.ca
Mon Jan 16 20:28:13 UTC 2012


I did a key generation using:

ods-ksmutil key generate --policy lab --interval P1Y

But forgot I had set the lab policy to 3D for KSK and 1D for ZSK.
So after generating 40 keys, I hit ctrl-c :)

I then removed the keys using:

for i in `ods-hsmutil list | awk '{print $2;}'`; do ods-hsmutil remove $i; done

and regenerated keys using:

ods-ksmutil key generate --policy CIRAlab --interval P14D

However, at this point, opendnssec thought it already had enough KSKs
and only generated ZSKs. I used "inittoken" and "ods-ksmutil setup" to
wipe everything and start from scratch.

I guess this is not really a bug, though there is some state mismatch
between HSM and opendnssec. Perhaps in a later version with some
architecture change, the ksm/ksm could be better integrated so these
types of state mismatch would not happen anymore?


More information about the Opendnssec-user mailing list