[Opendnssec-user] enforcer-ng produces suspicious number of ZSKs

Tue Mar 11 16:52:11 UTC 2014

Hello list,

I'm playing with enforcer-ng and I have noticed that is generates suspicious 
number of ZSKs for my test zone.

I have built enforcer-ng myself from git, HEAD 
d7ba5fa96bcd8e6e6744e89d11fa2da88f7572c7.

I'm using SoftHSM v2 built from git, HEAD 
c893d407b789e81e2d9fab5b112cc59648ba644a. It is configured with "db" backend.

My system is Fedora 20 x86_64.

# ods-enforcer zone add --zone lab1.test.
Imported zone: lab1.test. into database only. Use the --xml flag or run 
"ods-enforcer zonelist export" if an update of zonelist.xml is required.
generating 1 KSKs of 2048 bits for policy 'default'.
generating 2048 bit RSA key in repository: SoftHSM
key generation successful: 7efdabae0433129e47649bb51ab2dbdb
finished generating 2048 bit KSKs.
generating 5 ZSKs of 1024 bits for policy 'default'.
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: c9666dfba6f038118c196d181d12a9d7
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: 281c2272fb0e720963f98a6b4bdae4d5
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: 584cd0733d00beb4d4f97e6b2678accc
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: 6b8e9baa08199537fda9a76134aa862c
generating 1024 bit RSA key in repository: SoftHSM
key generation successful: d1ab1dd54f4438c4c247df64bbb2320e
finished generating 1024 bit ZSKs.
no KSK keys of 2048 bits needed for policy 'lab'.
no ZSK keys of 1024 bits needed for policy 'lab'.
zone add completed in 15 seconds.

# ods-hsmutil list
Listing keys in all repositories.
6 keys found.

Repository            ID                                Type
----------            --                                ----
SoftHSM               584cd0733d00beb4d4f97e6b2678accc  RSA/1024
SoftHSM               d1ab1dd54f4438c4c247df64bbb2320e  RSA/1024
SoftHSM               7efdabae0433129e47649bb51ab2dbdb  RSA/2048
SoftHSM               c9666dfba6f038118c196d181d12a9d7  RSA/1024
SoftHSM               281c2272fb0e720963f98a6b4bdae4d5  RSA/1024
SoftHSM               6b8e9baa08199537fda9a76134aa862c  RSA/1024

# ods-enforcer key list --verbose
Keys:
Zone:                           Keytype: State:    Date of next transition: 
Size: Algorithm: CKA_ID:                          Repository: KeyTag:
lab1.test.                      KSK      generate  2014-03-13 05:35:24 
2048  8          7efdabae0433129e47649bb51ab2dbdb SoftHSM     53104
lab1.test.                      ZSK      publish   2014-03-13 05:35:24 
1024  8          c9666dfba6f038118c196d181d12a9d7 SoftHSM     20835

Is it a bug? Or did I misunderstood KASP? (attached)

-- 
Petr Spacek  @  Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kasp.xml
Type: text/xml
Size: 3372 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140311/ff0fc4a7/attachment.xml>