[Opendnssec-user] Error allocating ksks / zsks

Maurice maurice at info.nl
Thu Jan 28 09:42:35 UTC 2016 

Hi Håvard,

I also ran into this a couple of times. I "fixed" this by using the 
"ods-ksmutil key generate" command.

Regards,

Maurice Mahieu


On 01/28/2016 10:32 AM, Yuri Schaeffer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Håvard,
>
> For now I made an issue in our tracker for it
> https://issues.opendnssec.org/browse/OPENDNSSEC-752
>
> Regards,
> Yuri
>
> On 25-01-16 15:35, Havard Eidnes wrote:
>> Hi,
>>
>> I had reason to inspect the log from the physical console on our
>> signer host, and found messages from ods-enforcerd related to two
>> of our zones:
>>
>> Jan 24 17:07:01 hugin ods-enforcerd: Error allocating ksks to zone
>> godegrep.no Jan 24 17:07:16 hugin ods-enforcerd: Error allocating
>> zsks to zone 2.1.2.6.1.9.3.7.7.4.nrenum.net
>>
>> and that this is a recurring theme.
>>
>> Looking at the log reveals a bit more:
>>
>> Jan 25 14:12:48 hugin ods-enforcerd: Zone godegrep.no found. Jan 25
>> 14:12:48 hugin ods-enforcerd: Policy for godegrep.no set to
>> default. Jan 25 14:12:48 hugin ods-enforcerd: Config will be output
>> to /var/opendnssec/signconf/godegrep.no.xml. Jan 25 14:12:48 hugin
>> ods-enforcerd: Not enough keys to satisfy ksk policy for zone:
>> godegrep.no. keys_to_allocate(1) = keys_needed(1) -
>> (keys_available(1) - keys_pending_retirement(1)) Jan 25 14:12:48
>> hugin ods-enforcerd: Tried to allocate 1 keys, failed on allocating
>> key number 1 Jan 25 14:12:48 hugin ods-enforcerd: ods-enforcerd
>> will create some more keys on its next run Jan 25 14:12:48 hugin
>> ods-enforcerd: Error allocating ksks to zone godegrep.no
>>
>> It seems to me that the calculation above wrt. keys_to_allocate is
>> correct, but the statement that ods-enforcerd will create more keys
>> on its next run appears to be a blatant lie.
>>
>> Listing the keys for these zones reveals that some of the "Date of
>> next transition" has come and gone without the transition to the
>> next state having taken place, and one of the key sets has a key in
>> "generate" state which isn't visible witout the "-all" switch:
>>
>> ods @ hugin: {6} ods-ksmutil key list -all --zone godegrep.no
>> Keys: Zone:                           Keytype:      State:    Date
>> of next transition: godegrep.no                     KSK
>> active    2015-12-13 15:12:43 godegrep.no                     ZSK
>> retire    2015-12-29 09:45:48 godegrep.no                     ZSK
>> active    2016-01-07 04:30:48 godegrep.no                     ZSK
>> generate  (not scheduled)
>>
>> ods @ hugin: {7} ods-ksmutil key list --all --zone
>> 2.1.2.6.1.9.3.7.7.4.nrenum.net Keys: Zone:
>> Keytype:      State:    Date of next transition:
>> 2.1.2.6.1.9.3.7.7.4.nrenum.net  KSK           active    2016-12-09
>> 23:42:31 2.1.2.6.1.9.3.7.7.4.nrenum.net  ZSK           active
>> 2016-01-06 00:25:00
>>
>> ods @ hugin: {8}
>>
>> I'm not sure when this started.
>>
>> So...
>>
>> 1) Any idea how OpenDNSSEC got itself into this state?
>>
>> 2) Are there any manual steps I have to perform to get it out of
>> this state for these two zones?
>>
>> 3) Rhetorical: why doesn't OpenDNSSEC recover by itself from this?
>>
>>
>> Best regards,
>>
>> - Håvard _______________________________________________
>> Opendnssec-user mailing list Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlap4BMACgkQI3PTR4mhaviRvgCgoYBMVUFAMkjqDZ/ster8n5G5
> MwoAoL8HgOSsNoeCD1Dpg+PGzi+TGizc
> =pWOH
> -----END PGP SIGNATURE-----
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


-- 
Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>  | +31 (0)20 
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/ 
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig> 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 00 
<tel:+31205309100>
Facebook <https://www.facebook.com/infonl> | Twitter 
<https://twitter.com/infonl> | LinkedIn 
<https://www.linkedin.com/company/info.nl> | Google+ 
<https://plus.google.com/+infonl/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160128/73a17f02/attachment.htm>

More information about the Opendnssec-user mailing list