[Opendnssec-user] Re: Key NOT ALLOCATED

Fred.Zwarts F.Zwarts at KVI.nl
Thu May 8 09:24:23 UTC 2014

Hi Sara,

Thanks for the fast response. This may explain it. We use shared keys and 
this key is used indeed for other zones.

Is there is simple way to exclude the unallocated keys and get the old 
listing behaviour?
(I now use " | grep -v "NOT ALLOCATED".
This incompatible change broke one of my scripts, so I used this work-around 
to fix it, but I wonder whether there are other cases that may pop up 


>Hi Fred,
>An extension was made to the ‘key list’ command in 1.4.4 based on a number 
>of user requests (from the release notes):
>* OPENDNSSEC-358: ods-ksmutil: Extend 'key list' command with options to 
>filter on key type and state. This allows keys in the GENERATE and DEAD 
>state to be output.
>and the new syntax is described here:
>One side effect of this is that additional keys may now also be listed in 
>the default output because the results are no longer limited to only those 
>keys that are allocated to zones. The NOT ALLOCATED text was added for such 
>cases and would typically only be seen when viewing generated keys (for 
>example, pre-generated keys are associated with a policy but are not 
>allocated to zones until they are used).
>In your case I see that the keys have the same CKA_ID, which suggests they 
>were used on a shared policy. They may have been allocated to zones that 
>were later deleted (and the keys were not deleted because they were in use 
>by other zones)?
>On 8 May 2014, at 09:17, Fred.Zwarts 
><F.Zwarts at KVI.nl> wrote:
>I installed opendnssec 1.4.5 over an opendnssec 1.4.3 installation.
>Now when I use the " ods-ksmutil key list --verbose" command I see lines 
>that I did not see with the previous version:
>NOT ALLOCATED                   KSK           dsready   When required 
>(keypub)   2048    8           310a8e2e58cbafab7aa934e2a3fd8598  SoftHSM
>NOT ALLOCATED                   KSK           dssub     waiting for ds-seen 
>(dspub)    2048    8           310a8e2e58cbafab7aa934e2a3fd8598  SoftHSM
>The words "NOT ALLOCATED" are seen where normally the domain name appears.
>I assume that NOT ALLOCATED means that it is not allocated for a domain.
>I don't understand how a key that is not allocated for a domain can be in 
>the state dsready, or dssub.
>Can somebody explain this?
>Opendnssec-user mailing list
>mailto:Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list