[Opendnssec-user] ods-enforcerd: Not enough keys to satisfy ksk policy for zone

Mathieu Arnold mat at mat.cc
Fri Dec 6 17:57:04 UTC 2013


Hi,

SoftHSM 1.3.5, opendnssec 1.4.3.

Today, I added about 30 more zones, I ran ods-ksmutil generate like I
always do so that I can get the keys backuped before they are used, then I
did ods-control enforcer notify so that it began its job with the new
zones. Everything went well for the first 27 zones, and for the three last,
it said :

Dec  6 18:23:36 ns1 ods-enforcerd: Zone veryinbox.fr found.
Dec  6 18:23:36 ns1 ods-enforcerd: Policy for veryinbox.fr set to default.
Dec  6 18:23:36 ns1 ods-enforcerd: Config will be output to
/usr/local/var/opendnssec/signconf/veryinbox.fr.xml.
Dec  6 18:23:36 ns1 ods-enforcerd: Not enough keys to satisfy ksk policy
for zone: veryinbox.fr
Dec  6 18:23:36 ns1 ods-enforcerd: ods-enforcerd will create some more keys
on its next run
Dec  6 18:23:36 ns1 ods-enforcerd: Error allocating ksks to zone
veryinbox.fr

I went back and have a look, ods-ksmutil generate did generate enough keys,
I tried HUP'ing it again, no luck, then stop/start, still no luck. Then I
went on to remove the zones, HUP', and add them back, HUP', still no luck.

I have 1614 zones in that policy, 1664 (yes, like the beer) zones total, is
there supposed to be some kind of limit on the number of zones, or keys, or
something, somewhere ?

-- 
Mathieu Arnold



More information about the Opendnssec-user mailing list