On 06/12/13 17:57, Mathieu Arnold wrote: > Hi, > > SoftHSM 1.3.5, opendnssec 1.4.3. > > Today, I added about 30 more zones, I ran ods-ksmutil generate like I > always do so that I can get the keys backuped before they are used, then I > did ods-control enforcer notify so that it began its job with the new > zones. Everything went well for the first 27 zones, and for the three last, > it said : > > Dec 6 18:23:36 ns1 ods-enforcerd: Zone veryinbox.fr found. > Dec 6 18:23:36 ns1 ods-enforcerd: Policy for veryinbox.fr set to default. > Dec 6 18:23:36 ns1 ods-enforcerd: Config will be output to > /usr/local/var/opendnssec/signconf/veryinbox.fr.xml. > Dec 6 18:23:36 ns1 ods-enforcerd: Not enough keys to satisfy ksk policy > for zone: veryinbox.fr > Dec 6 18:23:36 ns1 ods-enforcerd: ods-enforcerd will create some more keys > on its next run > Dec 6 18:23:36 ns1 ods-enforcerd: Error allocating ksks to zone > veryinbox.fr > > I went back and have a look, ods-ksmutil generate did generate enough keys, > I tried HUP'ing it again, no luck, then stop/start, still no luck. Then I > went on to remove the zones, HUP', and add them back, HUP', still no luck. > > I have 1614 zones in that policy, 1664 (yes, like the beer) zones total, is > there supposed to be some kind of limit on the number of zones, or keys, or > something, somewhere ? >
The only limits are ones that you can set yourself in conf.xml on the size of a repository; but using softhsm this is probably not set. There used to be an issue with key generation that looked like this, but I thought it had been fixed... Maybe it has returned or maybe this is a slightly different problem. We can have a look, to try to understand what is going on. In the mean-time you can generate keys for longer in order to increase the number created. Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
