[Opendnssec-user] Slow key generation with KSK rollover
Erik P. Ostlyngen
erik at norid.no
Fri Nov 15 10:14:41 UTC 2019
Hi,
I'm using OpenDNSSEC 2.1.4, and I'm seeing some strange behaviour when
I try to do a KSK rollover on a set of zones. I'm doing a rollover of
all my zones within a given policy. The command I use is:
% sudo ods-enforcer key rollover --keytype KSK --policy mypolicy
Enforcer then starts to generate new keys for my 792 zones but this is
done rather slowly, approximately 10 secs per key. Each time a key is
generated, I see the following message in the log:
Nov 12 07:44:33 server01 ods-enforcerd: [hsm_key_factory_generate] 1
keys needed for 792 zones covering 31536000 seconds, generating 1
keys for policy mypolicy
I would expect it to say something like '792 keys needed for 792
zones' since I'm not using shared keys. Between every key generated,
Enforcer seems to be looping through all the zones, logging messages
like this:
Nov 12 08:00:17 server01 ods-enforcerd: [enforcer] update zone:
myzone.no
Nov 12 08:00:17 server01 ods-enforcerd: [hsm_key_factory_get_key]
no keys available
Nov 12 08:00:17 server01 ods-enforcerd: [enforcer] updatePolicy: No
keys available in HSM for policy mypolicy, retry in 60 seconds
Is this the correct/expected behaviour or am I doing something wrong?
Regards,
Erik Østlyngen
Norid AS
www.norid.no
More information about the Opendnssec-user
mailing list