[Opendnssec-user] enforcer-ng produces suspicious number of ZSKs
Petr Spacek
pspacek at redhat.com
Thu Mar 13 12:16:25 UTC 2014
On 13.3.2014 11:54, Yuri Schaeffer wrote:
> On 12-03-14 10:17, Petr Spacek wrote:
>> However, can AutomaticKeyGenerationPeriod explain the difference between
>> first and second "zone add" run with the same policy?
>>
>> Default policy:
>> # ods-enforcer zone add --zone def1.test.
>> generating 1 KSKs of 2048 bits for policy 'default'.
>> generating 5 ZSKs of 1024 bits for policy 'default'.
>>
>> # ods-enforcer zone add --zone def2.test.
>> generating 2 KSKs of 2048 bits for policy 'default'.
>> generating 6 ZSKs of 1024 bits for policy 'default'.
>
> I think I know where this comes from. You configure to pregenerate a
> pool of 5 ZSKs for each zone for that specific policy.
>
> When you add the first zone, it generates 5 keys, then uses 1 for
> def1.test. 4 keys are left in the pool.
> Second zone, it wants to have 2x5 keys in the pool so needs to generate
> another 6.
>
>> Lab policy:
>> # ods-enforcer zone add --zone lab1.test. --policy lab
>> generating 1 KSKs of 2048 bits for policy 'lab'.
>> generating 2190 ZSKs of 1024 bits for policy 'lab'.
>>
>> # ods-enforcer zone add --zone lab2.test. --policy lab
>> generating 1 KSKs of 2048 bits for policy 'lab'.
>> generating 4324 ZSKs of 1024 bits for policy 'lab'.
>
> A similar thing is happening, this time your key lifetime is short. By
> the time you are doing the 2nd zone add I guess the first was not
> finished yet. I hope at this time only 1 key generation task is running,
Thank you for explanation!
> else you will end up with 6514 keys instead of 4324.
>
> This is something that is on my list of revising / discussing how key
> pre-generation should work exactly.
>
>> (I do ods-enforcer setup && ods-control stop && softhsm-util
> --init-slot && ods-control start before each experiment.)
>
> I'm unsure what the effect is of "softhsm-util --init-slot" after you do
> the setup command. During the setup the enforcer will have some
> interaction with the HSM.
So the question is: How I'm supposed to correctly wipe out enforcer's DB and
HSM to start from scratch? :-)
Thank you for your time!
--
Petr Spacek @ Red Hat
More information about the Opendnssec-user
mailing list