[Opendnssec-user] Maximum key generation interval on 64-bit systems

Gavin Brown gavin.brown at centralnic.com
Tue Jul 16 11:30:08 UTC 2013


Hi there,

We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
likely to need up-front, so that we only ever need to do a single backup.

We're using this command to generate the keys:

ods-ksmutil key generate --policy default --interval [PERIOD]

where [PERIOD] is:

	number of zones * expected life of the system

assuming 1 KSK rollover per year. We are planning on 100 zones and
optimistically a 10 year life for the system, equalling 1000 years.

When we try to generate this many keys, we get this error:

Error: unable to convert Interval P1000Y to seconds, error: interval too
long to be an int. E.g. Maximum is ~68 years on a system with 32-bit
integers.

This is on a 64bit system, so why do we get this error?

Thanks,

-- 
Gavin Brown
Chief Technology Officer
CentralNic Ltd
Innovative, Reliable and Flexible Registry Services
for ccTLD, gTLD and private domain name registries
https://www.centralnic.com/

CentralNic Ltd is a company registered in England and Wales with company
number 4985780. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.



More information about the Opendnssec-user mailing list