[Opendnssec-user] Opendnssec 2.0.1 Lots of keys created
Yuri Schaeffer
yuri at nlnetlabs.nl
Mon Oct 10 13:43:38 UTC 2016
Hi Juan,
The conf.xml has a <AutomaticKeyGenerationPeriod> in the enforcer
section. If not specified it defaults to a year. If you use a policy
with a very short key lifetime, such as lab, you might want to set it
*much* lower.
https://wiki.opendnssec.org/display/DOCS20/conf.xml#conf.xml-Enforcer
Best regards,
Yuri
On 10-10-16 11:51, Juan Carlos Rodriguez wrote:
> Hi,
>
> We have compiled the 2.0.1 version to test with our Luna HSM. We have
> added one zone for testing (the policy is like "lab" policy but using
> our HSM instead of softhsm), and a lot of ZSK keys (1761) have been
> created. It is a new behavior or a bug?
>
> Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy:
> policyName: testfast_safenet
> Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: New
> key needed for role KSK
> Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: got
> new key from HSM
> Oct 10 11:03:59 dnssectest ods-enforcerd: 1 zone(s) found on policy
> "testfast_safenet"
> Oct 10 11:03:59 dnssectest ods-enforcerd: [hsm_key_factory_generate] 122
> keys needed for 1 zones covering 31536000 seconds, generating 1 keys for
> policy testfast_safenet
> Oct 10 11:03:59 dnssectest ods-enforcerd: 1 new KSK(s) (2048 bits) need
> to be created.
> Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] key
> generation failed, HSM error: generate key pair: Unknown error
> Oct 10 11:04:00 dnssectest ods-enforcerd: 1 zone(s) found on policy
> "testfast_safenet"
> Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate]
> 2190 keys needed for 1 zones covering 31536000 seconds, generating 1761
> keys for policy testfast_safenet
> Oct 10 11:04:00 dnssectest ods-enforcerd: 1761 new ZSK(s) (2048 bits)
> need to be created.
>
> <Policy name="testfast_safenet">
> <Description>Quick turnaround policy for lab
> work</Description>
> <Signatures>
> <Resign>PT10M</Resign>
> <Refresh>PT50M</Refresh>
> <Validity>
> <Default>PT1H</Default>
> <Denial>PT1H</Denial>
> </Validity>
> <Jitter>PT1M</Jitter>
> <InceptionOffset>PT30S</InceptionOffset>
> </Signatures>
> ...
> <Keys>
> <!-- Parameters for both KSK and ZSK -->
> <TTL>PT300S</TTL>
> <RetireSafety>PT360S</RetireSafety>
> <PublishSafety>PT360S</PublishSafety>
> <!-- <ShareKeys/> -->
> <Purge>PT10S</Purge>
>
> <!-- Parameters for KSK only -->
> <KSK>
> <Algorithm length="2048">8</Algorithm>
> <Lifetime>P3D</Lifetime>
> <Repository>SafenetLuna7000</Repository>
> </KSK>
>
> <!-- Parameters for ZSK only -->
> <ZSK>
> <Algorithm length="2048">8</Algorithm>
> <Lifetime>PT4H</Lifetime>
> <Repository>SafenetLuna7000</Repository>
> <!-- <ManualRollover/> -->
> </ZSK>
> </Keys>
> ...
> </Policy>
>
> Kind regards
>
> --
> ---------------------------------------------
> Juan Carlos Rodríguez Merino
> NOC RedIRIS
> Tel: 912127620 (Ext. 4345)
>
> RedIRIS / Red.es
> Edificio Bronce
> Plaza de Manuel Gómez Moreno, s/n - 2ª planta
> 28020 Madrid
> ---------------------------------------------
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161010/63a5e7c0/attachment.bin>
More information about the Opendnssec-user
mailing list