Keys will not be reused if they are marked as retired or dead for any of
the zones that are using / have used them.
Is it possible that a zone has been deleted from this policy? That would
mark its keys as dead and so make them ineligible for further use. (The
idea is that if you keep adding zones then the keys could get really out
of sync unless this is done.)
Sion
On 23/07/12 09:17, ?? wrote:
Hi all,
I'm trying to maintain multiple zones with the same keys, I configured
the policy with ShareKeys valid.
Zone example, example2 and example3 share the keys correctly,but when
I tried to add the large zone example4 again, some interesting hint
came up:
[root@CST-BJ-104:/var/opendnssec/unsigned]$ods-ksmutil zone add -z example4 -p
lab
zonelist filename set to /etc/opendnssec/zonelist.xml.
Not enough keys to satisfy ksk policy for zone: example4
ods-enforcerd will create some more keys on its next run
Error allocating ksks to zone example4
Failed to Link Keys to zone
Imported zone: example4
So I triey to import a not-exist zone named example5 to see what keys
would it use, and it turned out that it would share the keys newly
created when adding example4. Do that make sense? Do not all zones
share the same KSK and ZSKs?
[root@CST-BJ-104:/var/opendnssec/unsigned]$ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
/var/opendnssec/kasp.db.our_lock already locked, sleep
Keys:
Zone: Keytype: State: Date of next transition
(to): Size: Algorithm: CKA_ID: Repository:
Keytag:
example KSK active 2013-07-05 20:48:04
(retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM
3224
example ZSK retire 2012-07-23 17:15:52
(dead) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM
3906
example ZSK active 2012-07-23 20:04:52
(retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM
4711
example3 KSK active 2013-07-19 13:14:27
(retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM
3224
example3 ZSK retire 2012-07-23 17:15:53
(dead) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM
3906
example3 ZSK active 2012-07-23 20:04:53
(retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM
4711
example2 KSK active 2013-07-19 13:12:27
(retire) 2048 8 4f6800a714b360cacaef8f7705b296f4 SoftHSM
3224
example2 ZSK retire 2012-07-23 17:15:53
(dead) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM
3906
example2 ZSK active 2012-07-23 20:04:53
(retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM
4711
example4 ZSK active 2012-07-23 20:04:53
(retire) 1024 8 d4da5c39adce4b840d9e554d28c43b1b SoftHSM
3906
example4 KSK publish 2012-07-23 16:20:53
(ready) 2048 8 fd2c2f51f36b60a5dad981a9c419e722 SoftHSM
61157
example5 ZSK active 2012-07-23 20:06:48
(retire) 1024 8 f1296491876d3d149c0583159a60bab3 SoftHSM
4711
example5 KSK publish 2012-07-23 16:22:48
(ready) 2048 8 fd2c2f51f36b60a5dad981a9c419e722 SoftHSM
61157
Best regards,
Stuart
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
