[Opendnssec-user] Question about ods-enforcerd and how it chooses keys
jake.zack at cira.ca
Wed Aug 16 13:45:24 UTC 2017
In a previous version of OpenDNSSEC (220.127.116.11), two separate machines running ods-enforcerd while using the same HSM (either AEP Keyper or SoftHSM) would select keys in the same order. This occurred after the initial 'ods-ksmutil setup' (and start of ods-enforcerd), as well as during a key rotation.
Because of this, I made the assumption that so long as the 'ods-hsmutil list' output on two machines were identical, the logic inside ods-enforcerd would make them select initial and subsequent keys using the same decision-making, thus always ending up with the same result.
Now I'm testing OpenDNSSEC-1.4.14 (and preparing to test OpenDNSSEC-2), and I've noticed that the behaviour of OpenDNSSEC-1.4.14 seems different.
Two machines with access to the same HSM's, upon initial ods-enforcerd start, are selecting different initial keys.
Running 'ods-ksmutil setup' to blow away the database, then restarting ods-enforcerd, also has it selecting different initial keys. (Both different keys from each other, but also different keys from the initial setup altogether.)
Has something drastically changed here? Or did I do something different this time in setting up this test environment that could be causing this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user