[Opendnssec-user] Key NOT ALLOCATED

Sara Dickinson sara at sinodun.com
Thu May 8 09:02:37 UTC 2014

Hi Fred, 

An extension was made to the ‘key list’ command in 1.4.4 based on a number of user requests (from the release notes):

* OPENDNSSEC-358: ods-ksmutil: Extend 'key list' command with options to filter on key type and state. This allows keys in the GENERATE and DEAD state to be output.

and the new syntax is described here:


One side effect of this is that additional keys may now also be listed in the default output because the results are no longer limited to only those keys that are allocated to zones. The NOT ALLOCATED text was added for such cases and would typically only be seen when viewing generated keys (for example, pre-generated keys are associated with a policy but are not allocated to zones until they are used).

In your case I see that the keys have the same CKA_ID, which suggests they were used on a shared policy. They may have been allocated to zones that were later deleted (and the keys were not deleted because they were in use by other zones)? 


On 8 May 2014, at 09:17, Fred.Zwarts <F.Zwarts at KVI.nl> wrote:

> I installed opendnssec 1.4.5 over an opendnssec 1.4.3 installation.
> Now when I use the " ods-ksmutil key list --verbose" command I see lines that I did not see with the previous version:
> NOT ALLOCATED                   KSK           dsready   When required (keypub)   2048    8           310a8e2e58cbafab7aa934e2a3fd8598  SoftHSM
> and
> NOT ALLOCATED                   KSK           dssub     waiting for ds-seen (dspub)    2048    8           310a8e2e58cbafab7aa934e2a3fd8598  SoftHSM
> The words "NOT ALLOCATED" are seen where normally the domain name appears.
> I assume that NOT ALLOCATED means that it is not allocated for a domain.
> I don't understand how a key that is not allocated for a domain can be in the state dsready, or dssub.
> Can somebody explain this? 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140508/56ada0ae/attachment.htm>

More information about the Opendnssec-user mailing list