[Opendnssec-user] Slow key generation with KSK rollover

Erik P. Ostlyngen erik at norid.no
Fri Nov 15 10:14:41 UTC 2019


I'm using OpenDNSSEC 2.1.4, and I'm seeing some strange behaviour when
I try to do a KSK rollover on a set of zones. I'm doing a rollover of
all my zones within a given policy. The command I use is:

% sudo ods-enforcer key rollover --keytype KSK --policy mypolicy

Enforcer then starts to generate new keys for my 792 zones but this is
done rather slowly, approximately 10 secs per key. Each time a key is
generated, I see the following message in the log:

  Nov 12 07:44:33 server01 ods-enforcerd: [hsm_key_factory_generate] 1
  keys needed for 792 zones covering 31536000 seconds, generating 1
  keys for policy mypolicy

I would expect it to say something like '792 keys needed for 792
zones' since I'm not using shared keys. Between every key generated,
Enforcer seems to be looping through all the zones, logging messages
like this:

  Nov 12 08:00:17 server01 ods-enforcerd: [enforcer] update zone:
  Nov 12 08:00:17 server01 ods-enforcerd: [hsm_key_factory_get_key]
  no keys available
  Nov 12 08:00:17 server01 ods-enforcerd: [enforcer] updatePolicy: No
  keys available in HSM for policy mypolicy, retry in 60 seconds

Is this the correct/expected behaviour or am I doing something wrong?

Erik Østlyngen
Norid AS

More information about the Opendnssec-user mailing list