[Opendnssec-user] Error allocating ksks / zsks

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Jan 28 09:32:03 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Håvard,

For now I made an issue in our tracker for it
https://issues.opendnssec.org/browse/OPENDNSSEC-752

Regards,
Yuri

On 25-01-16 15:35, Havard Eidnes wrote:
> Hi,
> 
> I had reason to inspect the log from the physical console on our 
> signer host, and found messages from ods-enforcerd related to two 
> of our zones:
> 
> Jan 24 17:07:01 hugin ods-enforcerd: Error allocating ksks to zone
> godegrep.no Jan 24 17:07:16 hugin ods-enforcerd: Error allocating
> zsks to zone 2.1.2.6.1.9.3.7.7.4.nrenum.net
> 
> and that this is a recurring theme.
> 
> Looking at the log reveals a bit more:
> 
> Jan 25 14:12:48 hugin ods-enforcerd: Zone godegrep.no found. Jan 25
> 14:12:48 hugin ods-enforcerd: Policy for godegrep.no set to
> default. Jan 25 14:12:48 hugin ods-enforcerd: Config will be output
> to /var/opendnssec/signconf/godegrep.no.xml. Jan 25 14:12:48 hugin
> ods-enforcerd: Not enough keys to satisfy ksk policy for zone:
> godegrep.no. keys_to_allocate(1) = keys_needed(1) -
> (keys_available(1) - keys_pending_retirement(1)) Jan 25 14:12:48
> hugin ods-enforcerd: Tried to allocate 1 keys, failed on allocating
> key number 1 Jan 25 14:12:48 hugin ods-enforcerd: ods-enforcerd
> will create some more keys on its next run Jan 25 14:12:48 hugin
> ods-enforcerd: Error allocating ksks to zone godegrep.no
> 
> It seems to me that the calculation above wrt. keys_to_allocate is
> correct, but the statement that ods-enforcerd will create more keys
> on its next run appears to be a blatant lie.
> 
> Listing the keys for these zones reveals that some of the "Date of
> next transition" has come and gone without the transition to the
> next state having taken place, and one of the key sets has a key in
> "generate" state which isn't visible witout the "-all" switch:
> 
> ods @ hugin: {6} ods-ksmutil key list -all --zone godegrep.no 
> Keys: Zone:                           Keytype:      State:    Date
> of next transition: godegrep.no                     KSK
> active    2015-12-13 15:12:43 godegrep.no                     ZSK
> retire    2015-12-29 09:45:48 godegrep.no                     ZSK
> active    2016-01-07 04:30:48 godegrep.no                     ZSK
> generate  (not scheduled)
> 
> ods @ hugin: {7} ods-ksmutil key list --all --zone
> 2.1.2.6.1.9.3.7.7.4.nrenum.net Keys: Zone:
> Keytype:      State:    Date of next transition: 
> 2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-12-09
> 23:42:31 2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active
> 2016-01-06 00:25:00
> 
> ods @ hugin: {8}
> 
> I'm not sure when this started.
> 
> So...
> 
> 1) Any idea how OpenDNSSEC got itself into this state?
> 
> 2) Are there any manual steps I have to perform to get it out of 
> this state for these two zones?
> 
> 3) Rhetorical: why doesn't OpenDNSSEC recover by itself from this?
> 
> 
> Best regards,
> 
> - Håvard _______________________________________________ 
> Opendnssec-user mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlap4BMACgkQI3PTR4mhaviRvgCgoYBMVUFAMkjqDZ/ster8n5G5
MwoAoL8HgOSsNoeCD1Dpg+PGzi+TGizc
=pWOH
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list