[Opendnssec-user] Opendnssec 2.0.1 Lots of keys created

Mon Oct 10 14:38:26 UTC 2016

Thank you Yuri, I will do as you comment.

Juan Carlos

El 10/10/16 a las 15:43, Yuri Schaeffer escribió:
> Hi Juan,
>
> The conf.xml has a <AutomaticKeyGenerationPeriod> in the enforcer
> section. If not specified it defaults to a year. If you use a policy
> with a very short key lifetime, such as lab, you might want to set it
> *much* lower.
>
> https://wiki.opendnssec.org/display/DOCS20/conf.xml#conf.xml-Enforcer
>
> Best regards,
> Yuri
>
> On 10-10-16 11:51, Juan Carlos Rodriguez wrote:
>> Hi,
>>
>> We have compiled the 2.0.1 version to test with our Luna HSM. We have
>> added one zone for testing (the policy is like "lab" policy but using
>> our HSM instead of softhsm), and a lot of ZSK keys (1761) have been
>> created. It is a new behavior or a bug?
>>
>> Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy:
>> policyName: testfast_safenet
>> Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: New
>> key needed for role KSK
>> Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: got
>> new key from HSM
>> Oct 10 11:03:59 dnssectest ods-enforcerd: 1 zone(s) found on policy
>> "testfast_safenet"
>> Oct 10 11:03:59 dnssectest ods-enforcerd: [hsm_key_factory_generate] 122
>> keys needed for 1 zones covering 31536000 seconds, generating 1 keys for
>> policy testfast_safenet
>> Oct 10 11:03:59 dnssectest ods-enforcerd: 1 new KSK(s) (2048 bits) need
>> to be created.
>> Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] key
>> generation failed, HSM error: generate key pair: Unknown error
>> Oct 10 11:04:00 dnssectest ods-enforcerd: 1 zone(s) found on policy
>> "testfast_safenet"
>> Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate]
>> 2190 keys needed for 1 zones covering 31536000 seconds, generating 1761
>> keys for policy testfast_safenet
>> Oct 10 11:04:00 dnssectest ods-enforcerd: 1761 new ZSK(s) (2048 bits)
>> need to be created.
>>
>>         <Policy name="testfast_safenet">
>>                  <Description>Quick turnaround policy for lab
>> work</Description>
>>                  <Signatures>
>>                          <Resign>PT10M</Resign>
>>                          <Refresh>PT50M</Refresh>
>>                          <Validity>
>>                                  <Default>PT1H</Default>
>>                                  <Denial>PT1H</Denial>
>>                          </Validity>
>>                          <Jitter>PT1M</Jitter>
>>                          <InceptionOffset>PT30S</InceptionOffset>
>>                  </Signatures>
>> ...
>>                  <Keys>
>>                          <!-- Parameters for both KSK and ZSK -->
>>                          <TTL>PT300S</TTL>
>>                          <RetireSafety>PT360S</RetireSafety>
>>                          <PublishSafety>PT360S</PublishSafety>
>>                          <!-- <ShareKeys/> -->
>>                          <Purge>PT10S</Purge>
>>
>>                          <!-- Parameters for KSK only -->
>>                          <KSK>
>>                                  <Algorithm length="2048">8</Algorithm>
>>                                  <Lifetime>P3D</Lifetime>
>>                                  <Repository>SafenetLuna7000</Repository>
>>                          </KSK>
>>
>>                          <!-- Parameters for ZSK only -->
>>                          <ZSK>
>>                                  <Algorithm length="2048">8</Algorithm>
>>                                  <Lifetime>PT4H</Lifetime>
>>                                  <Repository>SafenetLuna7000</Repository>
>>                                  <!-- <ManualRollover/> -->
>>                          </ZSK>
>>                  </Keys>
>> ...
>>          </Policy>
>>
>> Kind regards
>>
>> -- 
>> ---------------------------------------------
>> Juan Carlos Rodríguez Merino
>> NOC RedIRIS
>> Tel: 912127620 (Ext. 4345)
>>
>> RedIRIS / Red.es
>> Edificio Bronce
>> Plaza de Manuel Gómez Moreno, s/n - 2ª planta
>> 28020 Madrid
>> ---------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-- 
---------------------------------------------
Juan Carlos Rodríguez Merino
NOC RedIRIS
Tel: 912127620 (Ext. 4345)

RedIRIS / Red.es
Edificio Bronce
Plaza de Manuel Gómez Moreno, s/n - 2ª planta
28020 Madrid
---------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161010/6cc2ab90/attachment.htm>