[Opendnssec-user] negative number of KSKs needed, no KSKs generated for new zones

Emil Natan shlyoko at gmail.com
Tue Mar 5 07:13:01 UTC 2019 

How your default policy looks? Are you using pre-generated keys for your
existing zones? What happens if you try to pre-generate keys for 2 or 3
years. Since you are using SoftHSM it should not be an issue (in terms of
space/licensing) to pre-generate more keys in advance.
Generally speaking about pre-generation of keys it's very useful when you
want set your HSM read-only by disabling key generation/deletion in the
API. I never tried that with SoftHSM, is that your use case?

Emil

On Tue, Mar 5, 2019 at 6:41 AM Paul Wouters <paul at nohats.ca> wrote:

>
> I'm trying to get myself out of a situation where for a newly added
> domain, the enforcer isn't generating keys.
>
> I thought I could be smart by giving it some pregenerates keys but:
>
> [root at ns0 ~]# ods-ksmutil key generate --policy default --interval 1Y
> --zonetotal 1
> Key sharing is Off
> Info: converting 1Y to seconds; M interpreted as 31 days, Y interpreted as
> 365 days
> HSM opened successfully.
> Info: 21 zone(s) found on policy "default"
> Info: Keys will actually be generated for a total of 1 zone(s) as
> specified by zone total parameter
> -19 new KSK(s) (2048 bits) need to be created for policy default:
> keys_to_generate(-19) = keys_needed(2) - keys_available(21).
> 14 new ZSK(s) (2048 bits) need to be created for policy default:
> keys_to_generate(14) = keys_needed(13) - keys_available(-1).
> *WARNING* This will create 0 KSKs (2048 bits) and 14 ZSKs (2048 bits)
> Are you sure? [y/N]
>
> So I'd rather not try and see what happens when it tries to generate -19
> keys.
>
> Any advise on how to get out of this?
>
> Others ran unto this issue as well:
> https://issues.opendnssec.org/browse/OPENDNSSEC-752
>
> When running: ods-ksmutil key list -v --all
>
> I see a seemingly infinite amount of:
>
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           5de538d0181444d59d300602ae91cb6a  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           d73959d1d50b92a31c72225061a0b4a3  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           721809ffc35c101608071c945e7d0e3d  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           89613f35abfa68a5036604e1ea51a9e9  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           fe0aa7b6539f09e3c75ec5276529001f  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           5360ede39c4eec4c847517ae5730e3f0  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           457e9e4f60213a9a77b5dd1792a4c871  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           661349d7d2a18ea2a32eaeb9b427544f  SoftHSM
> NOT ALLOCATED                                 generate  (not scheduled)
> (publish)  2048    5           94572e6ff8340ceae5a88a6c38ca969b  SoftHSM
>
> It seems the newly added zone got a ZSK generated, but no KSK. Which
> seems related to the negative number of KSK's it wants to generate.
>
> This is using opendnssec-1.4.14-1.el6.x86_64
>
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20190305/1ba1bb66/attachment.htm>

More information about the Opendnssec-user mailing list