Thank you Yuri, I will do as you comment. Juan Carlos
El 10/10/16 a las 15:43, Yuri Schaeffer escribió:
Hi Juan, The conf.xml has a <AutomaticKeyGenerationPeriod> in the enforcer section. If not specified it defaults to a year. If you use a policy with a very short key lifetime, such as lab, you might want to set it *much* lower. https://wiki.opendnssec.org/display/DOCS20/conf.xml#conf.xml-Enforcer Best regards, Yuri On 10-10-16 11:51, Juan Carlos Rodriguez wrote:Hi, We have compiled the 2.0.1 version to test with our Luna HSM. We have added one zone for testing (the policy is like "lab" policy but using our HSM instead of softhsm), and a lot of ZSK keys (1761) have been created. It is a new behavior or a bug? Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: policyName: testfast_safenet Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: New key needed for role KSK Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: got new key from HSM Oct 10 11:03:59 dnssectest ods-enforcerd: 1 zone(s) found on policy "testfast_safenet" Oct 10 11:03:59 dnssectest ods-enforcerd: [hsm_key_factory_generate] 122 keys needed for 1 zones covering 31536000 seconds, generating 1 keys for policy testfast_safenet Oct 10 11:03:59 dnssectest ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created. Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] key generation failed, HSM error: generate key pair: Unknown error Oct 10 11:04:00 dnssectest ods-enforcerd: 1 zone(s) found on policy "testfast_safenet" Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] 2190 keys needed for 1 zones covering 31536000 seconds, generating 1761 keys for policy testfast_safenet Oct 10 11:04:00 dnssectest ods-enforcerd: 1761 new ZSK(s) (2048 bits) need to be created. <Policy name="testfast_safenet"> <Description>Quick turnaround policy for lab work</Description> <Signatures> <Resign>PT10M</Resign> <Refresh>PT50M</Refresh> <Validity> <Default>PT1H</Default> <Denial>PT1H</Denial> </Validity> <Jitter>PT1M</Jitter> <InceptionOffset>PT30S</InceptionOffset> </Signatures> ... <Keys> <!-- Parameters for both KSK and ZSK --> <TTL>PT300S</TTL> <RetireSafety>PT360S</RetireSafety> <PublishSafety>PT360S</PublishSafety> <!-- <ShareKeys/> --> <Purge>PT10S</Purge> <!-- Parameters for KSK only --> <KSK> <Algorithm length="2048">8</Algorithm> <Lifetime>P3D</Lifetime> <Repository>SafenetLuna7000</Repository> </KSK> <!-- Parameters for ZSK only --> <ZSK> <Algorithm length="2048">8</Algorithm> <Lifetime>PT4H</Lifetime> <Repository>SafenetLuna7000</Repository> <!-- <ManualRollover/> --> </ZSK> </Keys> ... </Policy> Kind regards -- --------------------------------------------- Juan Carlos Rodríguez Merino NOC RedIRIS Tel: 912127620 (Ext. 4345) RedIRIS / Red.es Edificio Bronce Plaza de Manuel Gómez Moreno, s/n - 2ª planta 28020 Madrid --------------------------------------------- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-- --------------------------------------------- Juan Carlos Rodríguez Merino NOC RedIRIS Tel: 912127620 (Ext. 4345) RedIRIS / Red.es Edificio Bronce Plaza de Manuel Gómez Moreno, s/n - 2ª planta 28020 Madrid ---------------------------------------------
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
