[Opendnssec-user] Maximum key generation interval on 64-bit systems

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jul 16 12:02:19 UTC 2013



On 16.07.2013 13:30, Gavin Brown wrote:
> Hi there,
>
> We are evaluating an HSM for use with OpenDNSSEC. The vendor has
> suggested that we consider manually generating all the keys we are
> likely to need up-front, so that we only ever need to do a single backup.
>
> We're using this command to generate the keys:
>
> ods-ksmutil key generate --policy default --interval [PERIOD]
>
> where [PERIOD] is:
>
> 	number of zones * expected life of the system

IIRC it is not necessary to specify 1000 years. If you have configured 
100 zones using all the default policy, then it should be fine to just 
specify 10Y as interval - ODS automatically detects that this policy is 
used for 100 zones and automatically generates 100 times the required keys.

As test:

# configure one zone
# create the keys
ods-ksmutil key generate --policy default --interval P10Y
--> keys are generated
# create the keys again
ods-ksmutil key generate --policy default --interval P10Y
--> no keys are generated as there are already enough keys
# configure a second zone with the same policy
# create the keys
ods-ksmutil key generate --policy default --interval P10Y
--> again keys are generated as there are not enough keys to fulfill the 
policy for 10 years with this amount of zones


regards
Klaus

>
> assuming 1 KSK rollover per year. We are planning on 100 zones and
> optimistically a 10 year life for the system, equalling 1000 years.
>
> When we try to generate this many keys, we get this error:
>
> Error: unable to convert Interval P1000Y to seconds, error: interval too
> long to be an int. E.g. Maximum is ~68 years on a system with 32-bit
> integers.
>
> This is on a 64bit system, so why do we get this error?
>
> Thanks,
>



More information about the Opendnssec-user mailing list