From paul at nohats.ca Tue Mar 5 04:33:21 2019 From: paul at nohats.ca (Paul Wouters) Date: Mon, 4 Mar 2019 23:33:21 -0500 (EST) Subject: [Opendnssec-user] negative number of KSKs needed, no KSKs generated for new zones Message-ID: I'm trying to get myself out of a situation where for a newly added domain, the enforcer isn't generating keys. I thought I could be smart by giving it some pregenerates keys but: [root at ns0 ~]# ods-ksmutil key generate --policy default --interval 1Y --zonetotal 1 Key sharing is Off Info: converting 1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days HSM opened successfully. Info: 21 zone(s) found on policy "default" Info: Keys will actually be generated for a total of 1 zone(s) as specified by zone total parameter -19 new KSK(s) (2048 bits) need to be created for policy default: keys_to_generate(-19) = keys_needed(2) - keys_available(21). 14 new ZSK(s) (2048 bits) need to be created for policy default: keys_to_generate(14) = keys_needed(13) - keys_available(-1). *WARNING* This will create 0 KSKs (2048 bits) and 14 ZSKs (2048 bits) Are you sure? [y/N] So I'd rather not try and see what happens when it tries to generate -19 keys. Any advise on how to get out of this? Others ran unto this issue as well: https://issues.opendnssec.org/browse/OPENDNSSEC-752 When running: ods-ksmutil key list -v --all I see a seemingly infinite amount of: NOT ALLOCATED generate (not scheduled) (publish) 2048 5 5de538d0181444d59d300602ae91cb6a SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 d73959d1d50b92a31c72225061a0b4a3 SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 721809ffc35c101608071c945e7d0e3d SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 89613f35abfa68a5036604e1ea51a9e9 SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 fe0aa7b6539f09e3c75ec5276529001f SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 5360ede39c4eec4c847517ae5730e3f0 SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 457e9e4f60213a9a77b5dd1792a4c871 SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 661349d7d2a18ea2a32eaeb9b427544f SoftHSM NOT ALLOCATED generate (not scheduled) (publish) 2048 5 94572e6ff8340ceae5a88a6c38ca969b SoftHSM It seems the newly added zone got a ZSK generated, but no KSK. Which seems related to the negative number of KSK's it wants to generate. This is using opendnssec-1.4.14-1.el6.x86_64 Paul From shlyoko at gmail.com Tue Mar 5 07:13:01 2019 From: shlyoko at gmail.com (Emil Natan) Date: Tue, 5 Mar 2019 09:13:01 +0200 Subject: [Opendnssec-user] negative number of KSKs needed, no KSKs generated for new zones In-Reply-To: References: Message-ID: How your default policy looks? Are you using pre-generated keys for your existing zones? What happens if you try to pre-generate keys for 2 or 3 years. Since you are using SoftHSM it should not be an issue (in terms of space/licensing) to pre-generate more keys in advance. Generally speaking about pre-generation of keys it's very useful when you want set your HSM read-only by disabling key generation/deletion in the API. I never tried that with SoftHSM, is that your use case? Emil On Tue, Mar 5, 2019 at 6:41 AM Paul Wouters wrote: > > I'm trying to get myself out of a situation where for a newly added > domain, the enforcer isn't generating keys. > > I thought I could be smart by giving it some pregenerates keys but: > > [root at ns0 ~]# ods-ksmutil key generate --policy default --interval 1Y > --zonetotal 1 > Key sharing is Off > Info: converting 1Y to seconds; M interpreted as 31 days, Y interpreted as > 365 days > HSM opened successfully. > Info: 21 zone(s) found on policy "default" > Info: Keys will actually be generated for a total of 1 zone(s) as > specified by zone total parameter > -19 new KSK(s) (2048 bits) need to be created for policy default: > keys_to_generate(-19) = keys_needed(2) - keys_available(21). > 14 new ZSK(s) (2048 bits) need to be created for policy default: > keys_to_generate(14) = keys_needed(13) - keys_available(-1). > *WARNING* This will create 0 KSKs (2048 bits) and 14 ZSKs (2048 bits) > Are you sure? [y/N] > > So I'd rather not try and see what happens when it tries to generate -19 > keys. > > Any advise on how to get out of this? > > Others ran unto this issue as well: > https://issues.opendnssec.org/browse/OPENDNSSEC-752 > > When running: ods-ksmutil key list -v --all > > I see a seemingly infinite amount of: > > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 5de538d0181444d59d300602ae91cb6a SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 d73959d1d50b92a31c72225061a0b4a3 SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 721809ffc35c101608071c945e7d0e3d SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 89613f35abfa68a5036604e1ea51a9e9 SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 fe0aa7b6539f09e3c75ec5276529001f SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 5360ede39c4eec4c847517ae5730e3f0 SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 457e9e4f60213a9a77b5dd1792a4c871 SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 661349d7d2a18ea2a32eaeb9b427544f SoftHSM > NOT ALLOCATED generate (not scheduled) > (publish) 2048 5 94572e6ff8340ceae5a88a6c38ca969b SoftHSM > > It seems the newly added zone got a ZSK generated, but no KSK. Which > seems related to the negative number of KSK's it wants to generate. > > This is using opendnssec-1.4.14-1.el6.x86_64 > > Paul > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: