[Opendnssec-user] Maximum key generation interval on 64-bit systems

Siôn Lloyd sion at nominet.org.uk
Tue Jul 16 13:11:06 UTC 2013 

Hi there,

Klaus is correct in that key generation takes into account the number of
zones on the policy; so if you have configured all the zones you should
be okay.

In general the time period is bounded by INT_MAX seconds; my limits.h
file (on a 64-bit machine) defines this as 2147483647... This is the
same as a 32-bit machine would have (although this is not guaranteed to
be true for all systems). We'd have to move to unsigned ints or longs to
get more digits.

Sion

On 16/07/13 13:02, Klaus Darilion wrote:
>
>
> On 16.07.2013 13:30, Gavin Brown wrote:
>> Hi there,
>>
>> We are evaluating an HSM for use with OpenDNSSEC. The vendor has
>> suggested that we consider manually generating all the keys we are
>> likely to need up-front, so that we only ever need to do a single
>> backup.
>>
>> We're using this command to generate the keys:
>>
>> ods-ksmutil key generate --policy default --interval [PERIOD]
>>
>> where [PERIOD] is:
>>
>>     number of zones * expected life of the system
>
> IIRC it is not necessary to specify 1000 years. If you have configured
> 100 zones using all the default policy, then it should be fine to just
> specify 10Y as interval - ODS automatically detects that this policy
> is used for 100 zones and automatically generates 100 times the
> required keys.
>
> As test:
>
> # configure one zone
> # create the keys
> ods-ksmutil key generate --policy default --interval P10Y
> --> keys are generated
> # create the keys again
> ods-ksmutil key generate --policy default --interval P10Y
> --> no keys are generated as there are already enough keys
> # configure a second zone with the same policy
> # create the keys
> ods-ksmutil key generate --policy default --interval P10Y
> --> again keys are generated as there are not enough keys to fulfill
> the policy for 10 years with this amount of zones
>
>
> regards
> Klaus
>
>>
>> assuming 1 KSK rollover per year. We are planning on 100 zones and
>> optimistically a 10 year life for the system, equalling 1000 years.
>>
>> When we try to generate this many keys, we get this error:
>>
>> Error: unable to convert Interval P1000Y to seconds, error: interval too
>> long to be an int. E.g. Maximum is ~68 years on a system with 32-bit
>> integers.
>>
>> This is on a 64bit system, so why do we get this error?
>>
>> Thanks,
>>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list