[Opendnssec-user] enforcer-ng produces suspicious number of ZSKs

Petr Spacek pspacek at redhat.com
Wed Mar 12 09:17:34 UTC 2014


On 12.3.2014 06:25, Jerry Lundström wrote:
> Hi Petr,
>
> On Wed, Mar 12, 2014 at 4:48 AM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Tue, 11 Mar 2014, Petr Spacek wrote:
>>
>>   generating 1 KSKs of 2048 bits for policy 'default'.
>>> generating 5 ZSKs of 1024 bits for policy 'default'.
>>>
>>
>> It generated one year's worth of keys. With a 365D lifetime for KSK,
>> that means 1 key. With a 90D ZSK lifetime, that means 5.
>>
>
> As Paul pointed out, I think you missed the <AutomaticKeyGenerationPeriod>
> option in conf.xml. You will need to lower it if your using the lab policy.
Right, I have missed that. BTW shouldn't AutomaticKeyGenerationPeriod be 
configurable per-policy? It seems that you can't use P1Y for default policy 
and P7D for lab policy.


However, can AutomaticKeyGenerationPeriod explain the difference between first 
and second "zone add" run with the same policy?

Default policy:
#  ods-enforcer zone add --zone def1.test.
generating 1 KSKs of 2048 bits for policy 'default'.
generating 5 ZSKs of 1024 bits for policy 'default'.

#  ods-enforcer zone add --zone def2.test.
generating 2 KSKs of 2048 bits for policy 'default'.
generating 6 ZSKs of 1024 bits for policy 'default'.


Lab policy:
# ods-enforcer zone add --zone lab1.test. --policy lab
generating 1 KSKs of 2048 bits for policy 'lab'.
generating 2190 ZSKs of 1024 bits for policy 'lab'.

# ods-enforcer zone add --zone lab2.test. --policy lab
generating 1 KSKs of 2048 bits for policy 'lab'.
generating 4324 ZSKs of 1024 bits for policy 'lab'.


Why it generates different number of KSKs and ZSKs between the first and the 
second run? It seems that second and all other runs produce the same number of 
keys.

I have had empty database at the beginning so def1.test. and lab1.test were 
first zones with given policy.

(I do ods-enforcer setup && ods-control stop && softhsm-util --init-slot && 
ods-control start before each experiment.)

-- 
Petr^2 Spacek



More information about the Opendnssec-user mailing list