On 12-03-14 10:17, Petr Spacek wrote: > However, can AutomaticKeyGenerationPeriod explain the difference between > first and second "zone add" run with the same policy? > > Default policy: > # ods-enforcer zone add --zone def1.test. > generating 1 KSKs of 2048 bits for policy 'default'. > generating 5 ZSKs of 1024 bits for policy 'default'. > > # ods-enforcer zone add --zone def2.test. > generating 2 KSKs of 2048 bits for policy 'default'. > generating 6 ZSKs of 1024 bits for policy 'default'.
I think I know where this comes from. You configure to pregenerate a pool of 5 ZSKs for each zone for that specific policy. When you add the first zone, it generates 5 keys, then uses 1 for def1.test. 4 keys are left in the pool. Second zone, it wants to have 2x5 keys in the pool so needs to generate another 6. > Lab policy: > # ods-enforcer zone add --zone lab1.test. --policy lab > generating 1 KSKs of 2048 bits for policy 'lab'. > generating 2190 ZSKs of 1024 bits for policy 'lab'. > > # ods-enforcer zone add --zone lab2.test. --policy lab > generating 1 KSKs of 2048 bits for policy 'lab'. > generating 4324 ZSKs of 1024 bits for policy 'lab'. A similar thing is happening, this time your key lifetime is short. By the time you are doing the 2nd zone add I guess the first was not finished yet. I hope at this time only 1 key generation task is running, else you will end up with 6514 keys instead of 4324. This is something that is on my list of revising / discussing how key pre-generation should work exactly. > (I do ods-enforcer setup && ods-control stop && softhsm-util --init-slot && ods-control start before each experiment.) I'm unsure what the effect is of "softhsm-util --init-slot" after you do the setup command. During the setup the enforcer will have some interaction with the HSM. //Yuri -- Composed on an actual keyboard: all typos genuine. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
