[Opendnssec-user] Question about ods-enforcerd and how it chooses keys

Jake Zack jake.zack at cira.ca
Wed Aug 16 13:45:24 UTC 2017

In a previous version of OpenDNSSEC (, two separate machines running ods-enforcerd while using the same HSM (either AEP Keyper or SoftHSM) would select keys in the same order.  This occurred after the initial 'ods-ksmutil setup' (and start of ods-enforcerd), as well as during a key rotation.

Because of this, I made the assumption that so long as the 'ods-hsmutil list' output on two machines were identical, the logic inside ods-enforcerd would make them select initial and subsequent keys using the same decision-making, thus always ending up with the same result.

Now I'm testing OpenDNSSEC-1.4.14 (and preparing to test OpenDNSSEC-2), and I've noticed that the behaviour of OpenDNSSEC-1.4.14 seems different.

Two machines with access to the same HSM's, upon initial ods-enforcerd start, are selecting different initial keys.
Running 'ods-ksmutil setup' to blow away the database, then restarting ods-enforcerd, also has it selecting different initial keys. (Both different keys from each other, but also different keys from the initial setup altogether.)

Has something drastically changed here?  Or did I do something different this time in setting up this test environment that could be causing this?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170816/b1f385ab/attachment.htm>

More information about the Opendnssec-user mailing list