Hi Juan, The conf.xml has a <AutomaticKeyGenerationPeriod> in the enforcer section. If not specified it defaults to a year. If you use a policy with a very short key lifetime, such as lab, you might want to set it *much* lower.
https://wiki.opendnssec.org/display/DOCS20/conf.xml#conf.xml-Enforcer Best regards, Yuri On 10-10-16 11:51, Juan Carlos Rodriguez wrote: > Hi, > > We have compiled the 2.0.1 version to test with our Luna HSM. We have > added one zone for testing (the policy is like "lab" policy but using > our HSM instead of softhsm), and a lot of ZSK keys (1761) have been > created. It is a new behavior or a bug? > > Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: > policyName: testfast_safenet > Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: New > key needed for role KSK > Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: got > new key from HSM > Oct 10 11:03:59 dnssectest ods-enforcerd: 1 zone(s) found on policy > "testfast_safenet" > Oct 10 11:03:59 dnssectest ods-enforcerd: [hsm_key_factory_generate] 122 > keys needed for 1 zones covering 31536000 seconds, generating 1 keys for > policy testfast_safenet > Oct 10 11:03:59 dnssectest ods-enforcerd: 1 new KSK(s) (2048 bits) need > to be created. > Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] key > generation failed, HSM error: generate key pair: Unknown error > Oct 10 11:04:00 dnssectest ods-enforcerd: 1 zone(s) found on policy > "testfast_safenet" > Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] > 2190 keys needed for 1 zones covering 31536000 seconds, generating 1761 > keys for policy testfast_safenet > Oct 10 11:04:00 dnssectest ods-enforcerd: 1761 new ZSK(s) (2048 bits) > need to be created. > > <Policy name="testfast_safenet"> > <Description>Quick turnaround policy for lab > work</Description> > <Signatures> > <Resign>PT10M</Resign> > <Refresh>PT50M</Refresh> > <Validity> > <Default>PT1H</Default> > <Denial>PT1H</Denial> > </Validity> > <Jitter>PT1M</Jitter> > <InceptionOffset>PT30S</InceptionOffset> > </Signatures> > ... > <Keys> > <!-- Parameters for both KSK and ZSK --> > <TTL>PT300S</TTL> > <RetireSafety>PT360S</RetireSafety> > <PublishSafety>PT360S</PublishSafety> > <!-- <ShareKeys/> --> > <Purge>PT10S</Purge> > > <!-- Parameters for KSK only --> > <KSK> > <Algorithm length="2048">8</Algorithm> > <Lifetime>P3D</Lifetime> > <Repository>SafenetLuna7000</Repository> > </KSK> > > <!-- Parameters for ZSK only --> > <ZSK> > <Algorithm length="2048">8</Algorithm> > <Lifetime>PT4H</Lifetime> > <Repository>SafenetLuna7000</Repository> > <!-- <ManualRollover/> --> > </ZSK> > </Keys> > ... > </Policy> > > Kind regards > > -- > --------------------------------------------- > Juan Carlos Rodríguez Merino > NOC RedIRIS > Tel: 912127620 (Ext. 4345) > > RedIRIS / Red.es > Edificio Bronce > Plaza de Manuel Gómez Moreno, s/n - 2ª planta > 28020 Madrid > --------------------------------------------- > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
