[Opendnssec-user] OpenDNSSEC-2.1.8 and SoftHSM-2.6.1 and a huge(?) repository
Paul Wouters
paul at nohats.ca
Mon Mar 15 19:31:24 UTC 2021
On Thu, 11 Mar 2021, (Berry) A.W. van Halderen via Opendnssec-user wrote:
>> >> Listing keys in all repositories.
>> >>
>> >> … hangs "forever" (1 hour at least).
>> >>
>> >> Hmm, is this something to worry about?
>
> Not if it's that large.
I have the same issue, reporting a few years ago. See the mail archive.
In my case, though, it is clearly seen in the logs:
Mar 15 14:24:43 ns0 ods-enforcerd: Not enough keys to satisfy zsk policy for zone: chaishinyu.com. keys_to_allocate(1) = keys_needed(1) - (keys_available(1) - keys_pending_retirement(1))
Mar 15 14:24:43 ns0 ods-enforcerd: Tried to allocate 1 keys, failed on allocating key number 1
Mar 15 14:24:43 ns0 ods-enforcerd: ods-enforcerd will create some more keys on its next run
So it adds a key, thinks it failed, and 15 minutes later will do it
again. I have about 20 zones and my softhsm size is:
-rw-rw-r--. 1 ods ods 51M Mar 11 18:06 /var/lib/softhsm/slot0.db
It has reached the point where I can no longer add zones to my config,
and I need to sit down one day and re-install this signer :/
This is on 1.4.14 though, as previous attempts to upgrade to 2.x have
failed.
Paul
More information about the Opendnssec-user
mailing list