[Opendnssec-user] Question about keys backup functionality

Vincent Levigneron vincent.levigneron at afnic.fr
Wed Mar 3 21:36:08 UTC 2021 

Hi,

I am currently running multiple TLDs on ODS 2.1.6 and I was not on time to 
create new set of keys for the next year. It already happened in the past, but
it was a long time ago with ODS 1.4 so I'd like to check if the
behaviour I observe with this version of ODS is the one expected. So I had 
that kind of messages :

Mar  3 14:50:01 nspublisher ods-enforcerd[913352]: [enforcer] updatePolicy: New key needed for role ZSK
Mar  3 14:50:01 nspublisher ods-enforcerd[913352]: [hsm_key_factory_get_key] no keys available
Mar  3 14:50:01 nspublisher ods-enforcerd[913352]: [enforcer] updatePolicy: No keys available in HSM for policy afnic.pol37, retry in 60 seconds

I have the <RequireBackup/> flag set in conf file, and when I did a
generation for the next 12 months, I expected that the enforcer will
wait for the backup commit command before to use the keys that had 
been just created.

But what I see in logs is different :

Mar  3 14:52:54 nspublisher ods-enforcerd[913352]: [hsm_key_factory_generate] 7 keys needed for 1 zones covering 31536000 seconds, generating 7 keys for policy afnic.pol37
Mar  3 14:52:54 nspublisher ods-enforcerd[913352]: 7 new ZSK(s) (256 bits) need to be created.
Mar  3 14:53:07 nspublisher ods-enforcerd[913352]: 1 zone(s) found on policy "afnic.pol37"
Mar  3 14:53:07 nspublisher ods-enforcerd[913352]: [hsm_key_factory_generate] 1 keys needed for 1 zones covering 31536000 seconds, generating 1 keys for policy afnic.pol37
Mar  3 14:53:07 nspublisher ods-enforcerd[913352]: 1 new KSK(s) (256 bits) need to be created.

Amongst the key created, there is the key with label
1c7c4e2339f81d56b3e8be0bc6c97482 which is immediatly used after its
creation.

Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone: processing key 1c7c4e2339f81d56b3e8be0bc6c97482 1
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone: May ZSK 1c7c4e2339f81d56b3e8be0bc6c97482 DNSKEY in state hidden transition to rumoured?
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone Policy says we can (1/3)
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone DNSSEC says we can (2/3)
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone Timing says we can (3/3) now: 1614783189 key: 1614783189
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone: Transitioning ZSK 1c7c4e2339f81d56b3e8be0bc6c97482 DNSKEY from hidden to rumoured

So the key is already published before I send a notice to ODS that the
keys had been backuped.

Mar  3 15:02:40 nspublisher ods-enforcerd[913352]: received command backup prepare --repository AEPKeyper
Mar  3 15:12:49 nspublisher ods-enforcerd[913352]: received command backup commit --repository AEPKeyper

Is it how it is supposed to work ?

Best regards,

    Vincent

-- 
	Vincent Levigneron  A.F.N.I.C.  Vincent.Levigneron at afnic.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210303/7d0369bb/attachment.bin>

More information about the Opendnssec-user mailing list