Hello, With ODS version 1, when you execute an "ods-ksmutil key generate" command the tools tells you how many keys are going to be created and many usefull details (like there id) :
> ods-ksmutil key generate --policy testing --interval 3D
Key sharing is Off
HSM opened successfully.
Info: 2 zone(s) found on policy "testing3”
2 new KSK(s) (2048 bits) need to be created for policy testing:
keys_to_generate(2) = keys_needed(2) - keys_available(0).
2 new ZSK(s) (1024 bits) need to be created for policy testing:
keys_to_generate(2) = keys_needed(2) - keys_available(0).
*WARNING* This will create 2 KSKs (2048 bits) and 2 ZSKs (1024 bits)
Are you sure? [y/N]
y
Created KSK size: 2048, alg: 8 with id: 0c4f30f16219c0ef411c6e376c8a9639 in
repository: AEPKeyper and database.
Created KSK size: 2048, alg: 8 with id: 40dfdcee3144534af486a6e641898e2b in
repository: AEPKeyper and database.
Created ZSK size: 1024, alg: 8 with id: b4afdc9ad78cce3eb24c6636642c7b20 in
repository: AEPKeyper and database.
Created ZSK size: 1024, alg: 8 with id: 0d5d04110c9321cc6920b6bfd8982c4a in
repository: AEPKeyper and database.
[...]
And the keys are actually created in DB and HSM.
With ODS 2.1.6, I obtain something "lighter" :
> ods-enforcer key generate --policy afnic.yt -- duration 365D
Key generation task scheduled.
I can find some details in the logs :
Nov 19 22:27:31 nspublisher ods-enforcerd: [hsm_key_factory_generate] 7 keys
needed for 1 zones covering 31536000 seconds, generating 3 keys for policy
afnic.yt
Nov 19 22:27:31 nspublisher ods-enforcerd: 3 new ZSK(s) (256 bits) need to be
created.
Nov 19 22:27:31 nspublisher ods-enforcerd: 1 zone(s) found on policy "afnic.yt"
Nov 19 22:27:31 nspublisher ods-enforcerd: [hsm_key_factory_generate] 1 keys
needed for 1 zones covering 31536000 seconds, generating 1 keys for policy
afnic.yt
Nov 19 22:27:31 nspublisher ods-enforcerd: 1 new KSK(s) (256 bits) need to be
created.
But it does not say if the keys are really created. Which is not the
case indeed because if I use a command like "ods-enforcer backup list",
I can see just one new key which is not backuped.
Is there a way to force, like with ODS1, the creation of all needed keys
when we launch the key generation commands and is it possible to have
more details without go in the logs for that ?
Regards,
Vincent
--
Vincent Levigneron A.F.N.I.C. [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
