[Opendnssec-user] Question about keys backup functionality

Vincent Levigneron via Opendnssec-user Wed, 03 Mar 2021 13:36:28 -0800

Hi,

I am currently running multiple TLDs on ODS 2.1.6 and I was not on time to 
create new set of keys for the next year. It already happened in the past, but
it was a long time ago with ODS 1.4 so I'd like to check if the
behaviour I observe with this version of ODS is the one expected. So I had 
that kind of messages :


Mar  3 14:50:01 nspublisher ods-enforcerd[913352]: [enforcer] updatePolicy: New 
key needed for role ZSK
Mar  3 14:50:01 nspublisher ods-enforcerd[913352]: [hsm_key_factory_get_key] no 
keys available
Mar  3 14:50:01 nspublisher ods-enforcerd[913352]: [enforcer] updatePolicy: No 
keys available in HSM for policy afnic.pol37, retry in 60 seconds

I have the <RequireBackup/> flag set in conf file, and when I did a
generation for the next 12 months, I expected that the enforcer will
wait for the backup commit command before to use the keys that had 
been just created.

But what I see in logs is different :

Mar  3 14:52:54 nspublisher ods-enforcerd[913352]: [hsm_key_factory_generate] 7 
keys needed for 1 zones covering 31536000 seconds, generating 7 keys for policy 
afnic.pol37
Mar  3 14:52:54 nspublisher ods-enforcerd[913352]: 7 new ZSK(s) (256 bits) need 
to be created.
Mar  3 14:53:07 nspublisher ods-enforcerd[913352]: 1 zone(s) found on policy 
"afnic.pol37"
Mar  3 14:53:07 nspublisher ods-enforcerd[913352]: [hsm_key_factory_generate] 1 
keys needed for 1 zones covering 31536000 seconds, generating 1 keys for policy 
afnic.pol37
Mar  3 14:53:07 nspublisher ods-enforcerd[913352]: 1 new KSK(s) (256 bits) need 
to be created.

Amongst the key created, there is the key with label
1c7c4e2339f81d56b3e8be0bc6c97482 which is immediatly used after its
creation.

Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone: 
processing key 1c7c4e2339f81d56b3e8be0bc6c97482 1
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone: May 
ZSK 1c7c4e2339f81d56b3e8be0bc6c97482 DNSKEY in state hidden transition to 
rumoured?
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone Policy 
says we can (1/3)
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone DNSSEC 
says we can (2/3)
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone Timing 
says we can (3/3) now: 1614783189 key: 1614783189
Mar  3 14:53:09 nspublisher ods-enforcerd[913352]: [enforcer] updateZone: 
Transitioning ZSK 1c7c4e2339f81d56b3e8be0bc6c97482 DNSKEY from hidden to 
rumoured

So the key is already published before I send a notice to ODS that the
keys had been backuped.

Mar  3 15:02:40 nspublisher ods-enforcerd[913352]: received command backup 
prepare --repository AEPKeyper
Mar  3 15:12:49 nspublisher ods-enforcerd[913352]: received command backup 
commit --repository AEPKeyper

Is it how it is supposed to work ?

Best regards,

    Vincent

-- 
        Vincent Levigneron  A.F.N.I.C.  vincent.levigne...@afnic.fr

signature.asc
Description: PGP signature

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

[Opendnssec-user] Question about keys backup functionality

Reply via email to