[Opendnssec-user] Question about ods-enforcerd and how it chooses keys

Yuri Schaeffer yuri at nlnetlabs.nl
Wed Aug 16 14:32:29 UTC 2017

Hi Jack,

> Has something drastically changed here?  Or did I do something different
> this time in setting up this test environment that could be causing this?

There is no explicit feature regarding the order of unused keys. If this
work before it was by luck. There might have been changes in the key
selection. We had quite some fixes in the HSM interfacing code. However
if you run the two enforcers of the same version I see no reason why
they would not select the same key.

I suspect you also upgraded the database software the enforcer uses to
store references to these keys. Unless specified, SQL results return in
no specific order. So this might depend on version, build, or windspeed.

This will be no different for OpenDNSSEC 2. Also you have very little
guarantee both enforcers would run exactly the same without drift.
Especially on operations where user input is required.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170816/de9de90e/attachment.bin>

More information about the Opendnssec-user mailing list