[Opendnssec-user] negative number of KSKs needed, no KSKs generated for new zones

Paul Wouters paul at nohats.ca
Tue Mar 5 04:33:21 UTC 2019 

I'm trying to get myself out of a situation where for a newly added
domain, the enforcer isn't generating keys.

I thought I could be smart by giving it some pregenerates keys but:

[root at ns0 ~]# ods-ksmutil key generate --policy default --interval 1Y --zonetotal 1
Key sharing is Off
Info: converting 1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
HSM opened successfully.
Info: 21 zone(s) found on policy "default"
Info: Keys will actually be generated for a total of 1 zone(s) as specified by zone total parameter
-19 new KSK(s) (2048 bits) need to be created for policy default: keys_to_generate(-19) = keys_needed(2) - keys_available(21).
14 new ZSK(s) (2048 bits) need to be created for policy default: keys_to_generate(14) = keys_needed(13) - keys_available(-1).
*WARNING* This will create 0 KSKs (2048 bits) and 14 ZSKs (2048 bits)
Are you sure? [y/N]

So I'd rather not try and see what happens when it tries to generate -19 keys.

Any advise on how to get out of this?

Others ran unto this issue as well:
https://issues.opendnssec.org/browse/OPENDNSSEC-752

When running: ods-ksmutil key list -v --all

I see a seemingly infinite amount of:

NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           5de538d0181444d59d300602ae91cb6a  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           d73959d1d50b92a31c72225061a0b4a3  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           721809ffc35c101608071c945e7d0e3d  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           89613f35abfa68a5036604e1ea51a9e9  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           fe0aa7b6539f09e3c75ec5276529001f  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           5360ede39c4eec4c847517ae5730e3f0  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           457e9e4f60213a9a77b5dd1792a4c871  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           661349d7d2a18ea2a32eaeb9b427544f  SoftHSM
NOT ALLOCATED                                 generate  (not scheduled) (publish)  2048    5           94572e6ff8340ceae5a88a6c38ca969b  SoftHSM

It seems the newly added zone got a ZSK generated, but no KSK. Which
seems related to the negative number of KSK's it wants to generate.

This is using opendnssec-1.4.14-1.el6.x86_64

Paul

More information about the Opendnssec-user mailing list