[Opendnssec-user] ods-enforcerd: Not enough keys to satisfy ksk policy for zone

Siôn Lloyd sion at nominet.org.uk
Mon Dec 9 10:06:34 UTC 2013


On 06/12/13 17:57, Mathieu Arnold wrote:
> Hi,
>
> SoftHSM 1.3.5, opendnssec 1.4.3.
>
> Today, I added about 30 more zones, I ran ods-ksmutil generate like I
> always do so that I can get the keys backuped before they are used, then I
> did ods-control enforcer notify so that it began its job with the new
> zones. Everything went well for the first 27 zones, and for the three last,
> it said :
>
> Dec  6 18:23:36 ns1 ods-enforcerd: Zone veryinbox.fr found.
> Dec  6 18:23:36 ns1 ods-enforcerd: Policy for veryinbox.fr set to default.
> Dec  6 18:23:36 ns1 ods-enforcerd: Config will be output to
> /usr/local/var/opendnssec/signconf/veryinbox.fr.xml.
> Dec  6 18:23:36 ns1 ods-enforcerd: Not enough keys to satisfy ksk policy
> for zone: veryinbox.fr
> Dec  6 18:23:36 ns1 ods-enforcerd: ods-enforcerd will create some more keys
> on its next run
> Dec  6 18:23:36 ns1 ods-enforcerd: Error allocating ksks to zone
> veryinbox.fr
>
> I went back and have a look, ods-ksmutil generate did generate enough keys,
> I tried HUP'ing it again, no luck, then stop/start, still no luck. Then I
> went on to remove the zones, HUP', and add them back, HUP', still no luck.
>
> I have 1614 zones in that policy, 1664 (yes, like the beer) zones total, is
> there supposed to be some kind of limit on the number of zones, or keys, or
> something, somewhere ?
>

The only limits are ones that you can set yourself in conf.xml on the
size of a repository; but using softhsm this is probably not set.

There used to be an issue with key generation that looked like this, but
I thought it had been fixed... Maybe it has returned or maybe this is a
slightly different problem.

We can have a look, to try to understand what is going on. In the
mean-time you can generate keys for longer in order to increase the
number created.

Sion



More information about the Opendnssec-user mailing list