[Opendnssec-user] key management bug / operator error
Paul Wouters
paul at nohats.ca
Mon Jan 16 20:28:13 UTC 2012
Hi,
I did a key generation using:
ods-ksmutil key generate --policy lab --interval P1Y
But forgot I had set the lab policy to 3D for KSK and 1D for ZSK.
So after generating 40 keys, I hit ctrl-c :)
I then removed the keys using:
for i in `ods-hsmutil list | awk '{print $2;}'`; do ods-hsmutil remove $i; done
and regenerated keys using:
ods-ksmutil key generate --policy CIRAlab --interval P14D
However, at this point, opendnssec thought it already had enough KSKs
and only generated ZSKs. I used "inittoken" and "ods-ksmutil setup" to
wipe everything and start from scratch.
I guess this is not really a bug, though there is some state mismatch
between HSM and opendnssec. Perhaps in a later version with some
architecture change, the ksm/ksm could be better integrated so these
types of state mismatch would not happen anymore?
Paul
More information about the Opendnssec-user
mailing list