[Opendnssec-user] How keys are created in ODS 2.1.6

Vincent Levigneron vincent.levigneron at afnic.fr
Thu Nov 19 21:37:40 UTC 2020 

Hello,

With ODS version 1, when you execute an "ods-ksmutil key generate"
command the tools tells you how many keys are going to be created and
many usefull details (like there id) :

>   ods-ksmutil key generate --policy testing --interval 3D
  Key sharing is Off
  HSM opened successfully.
  Info: 2 zone(s) found on policy "testing3”
  2 new KSK(s) (2048 bits) need to be created for policy testing: keys_to_generate(2) = keys_needed(2) - keys_available(0).
  2 new ZSK(s) (1024 bits) need to be created for policy testing: keys_to_generate(2) = keys_needed(2) - keys_available(0).
  *WARNING* This will create 2 KSKs (2048 bits) and 2 ZSKs (1024 bits)
  Are you sure? [y/N]
  y
  Created KSK size: 2048, alg: 8 with id: 0c4f30f16219c0ef411c6e376c8a9639 in repository: AEPKeyper and database.
  Created KSK size: 2048, alg: 8 with id: 40dfdcee3144534af486a6e641898e2b in repository: AEPKeyper and database.
  Created ZSK size: 1024, alg: 8 with id: b4afdc9ad78cce3eb24c6636642c7b20 in repository: AEPKeyper and database.
  Created ZSK size: 1024, alg: 8 with id: 0d5d04110c9321cc6920b6bfd8982c4a in repository: AEPKeyper and database.
  [...]

And the keys are actually created in DB and HSM.

With ODS 2.1.6, I obtain something "lighter" :

> ods-enforcer key generate --policy afnic.yt -- duration 365D
Key generation task scheduled.

I can find some details in the logs :

Nov 19 22:27:31 nspublisher ods-enforcerd: [hsm_key_factory_generate] 7 keys needed for 1 zones covering 31536000 seconds, generating 3 keys for policy afnic.yt
Nov 19 22:27:31 nspublisher ods-enforcerd: 3 new ZSK(s) (256 bits) need to be created.
Nov 19 22:27:31 nspublisher ods-enforcerd: 1 zone(s) found on policy "afnic.yt"
Nov 19 22:27:31 nspublisher ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 1 zones covering 31536000 seconds, generating 1 keys for policy afnic.yt
Nov 19 22:27:31 nspublisher ods-enforcerd: 1 new KSK(s) (256 bits) need to be created.

But it does not say if the keys are really created. Which is not the
case indeed because if I use a command like "ods-enforcer backup list",
I can see just one new key which is not backuped.

Is there a way to force, like with ODS1, the creation of all needed keys
when we launch the key generation commands and is it possible to have
more details without go in the logs for that ?

Regards,

    Vincent

-- 
	Vincent Levigneron  A.F.N.I.C.  Vincent.Levigneron at afnic.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20201119/5169f9ae/attachment.bin>

More information about the Opendnssec-user mailing list