[Opendnssec-user] enforcer-ng produces suspicious number of ZSKs
Paul Wouters
paul at nohats.ca
Wed Mar 12 03:48:52 UTC 2014
On Tue, 11 Mar 2014, Petr Spacek wrote:
> generating 1 KSKs of 2048 bits for policy 'default'.
> generating 5 ZSKs of 1024 bits for policy 'default'.
It generated one year's worth of keys. With a 365D lifetime for KSK,
that means 1 key. With a 90D ZSK lifetime, that means 5.
> # ods-enforcer key list --verbose
> Keys:
> Zone: Keytype: State: Date of next transition:
> Size: Algorithm: CKA_ID: Repository: KeyTag:
> lab1.test. KSK generate 2014-03-13 05:35:24 2048
> 8 7efdabae0433129e47649bb51ab2dbdb SoftHSM 53104
> lab1.test. ZSK publish 2014-03-13 05:35:24 1024
> 8 c9666dfba6f038118c196d181d12a9d7 SoftHSM 20835
> Is it a bug? Or did I misunderstood KASP? (attached)
Two keys are in use by ods, the other keys are just waiting in the
softhsm for when ods needs one.
Paul
More information about the Opendnssec-user
mailing list