Discussion:
[Opendnssec-user] Opendnssec 2.0.1 Lots of keys created
Juan Carlos Rodriguez
2016-10-10 09:51:09 UTC
Permalink
Hi,

We have compiled the 2.0.1 version to test with our Luna HSM. We have
added one zone for testing (the policy is like "lab" policy but using
our HSM instead of softhsm), and a lot of ZSK keys (1761) have been
created. It is a new behavior or a bug?

Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy:
policyName: testfast_safenet
Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: New
key needed for role KSK
Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: got
new key from HSM
Oct 10 11:03:59 dnssectest ods-enforcerd: 1 zone(s) found on policy
"testfast_safenet"
Oct 10 11:03:59 dnssectest ods-enforcerd: [hsm_key_factory_generate] 122
keys needed for 1 zones covering 31536000 seconds, generating 1 keys for
policy testfast_safenet
Oct 10 11:03:59 dnssectest ods-enforcerd: 1 new KSK(s) (2048 bits) need
to be created.
Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] key
generation failed, HSM error: generate key pair: Unknown error
Oct 10 11:04:00 dnssectest ods-enforcerd: 1 zone(s) found on policy
"testfast_safenet"
Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate]
2190 keys needed for 1 zones covering 31536000 seconds, generating 1761
keys for policy testfast_safenet
Oct 10 11:04:00 dnssectest ods-enforcerd: 1761 new ZSK(s) (2048 bits)
need to be created.

<Policy name="testfast_safenet">
<Description>Quick turnaround policy for lab
work</Description>
<Signatures>
<Resign>PT10M</Resign>
<Refresh>PT50M</Refresh>
<Validity>
<Default>PT1H</Default>
<Denial>PT1H</Denial>
</Validity>
<Jitter>PT1M</Jitter>
<InceptionOffset>PT30S</InceptionOffset>
</Signatures>
...
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT300S</TTL>
<RetireSafety>PT360S</RetireSafety>
<PublishSafety>PT360S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>PT10S</Purge>

<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P3D</Lifetime>
<Repository>SafenetLuna7000</Repository>
</KSK>

<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>PT4H</Lifetime>
<Repository>SafenetLuna7000</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
...
</Policy>

Kind regards
--
---------------------------------------------
Juan Carlos Rodríguez Merino
NOC RedIRIS
Tel: 912127620 (Ext. 4345)

RedIRIS / Red.es
Edificio Bronce
Plaza de Manuel Gómez Moreno, s/n - 2ª planta
28020 Madrid
---------------------------------------------
Yuri Schaeffer
2016-10-10 13:43:38 UTC
Permalink
Hi Juan,

The conf.xml has a <AutomaticKeyGenerationPeriod> in the enforcer
section. If not specified it defaults to a year. If you use a policy
with a very short key lifetime, such as lab, you might want to set it
*much* lower.

https://wiki.opendnssec.org/display/DOCS20/conf.xml#conf.xml-Enforcer

Best regards,
Yuri
Post by Juan Carlos Rodriguez
Hi,
We have compiled the 2.0.1 version to test with our Luna HSM. We have
added one zone for testing (the policy is like "lab" policy but using
our HSM instead of softhsm), and a lot of ZSK keys (1761) have been
created. It is a new behavior or a bug?
policyName: testfast_safenet
Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: New
key needed for role KSK
Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: got
new key from HSM
Oct 10 11:03:59 dnssectest ods-enforcerd: 1 zone(s) found on policy
"testfast_safenet"
Oct 10 11:03:59 dnssectest ods-enforcerd: [hsm_key_factory_generate] 122
keys needed for 1 zones covering 31536000 seconds, generating 1 keys for
policy testfast_safenet
Oct 10 11:03:59 dnssectest ods-enforcerd: 1 new KSK(s) (2048 bits) need
to be created.
Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] key
generation failed, HSM error: generate key pair: Unknown error
Oct 10 11:04:00 dnssectest ods-enforcerd: 1 zone(s) found on policy
"testfast_safenet"
Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate]
2190 keys needed for 1 zones covering 31536000 seconds, generating 1761
keys for policy testfast_safenet
Oct 10 11:04:00 dnssectest ods-enforcerd: 1761 new ZSK(s) (2048 bits)
need to be created.
<Policy name="testfast_safenet">
<Description>Quick turnaround policy for lab
work</Description>
<Signatures>
<Resign>PT10M</Resign>
<Refresh>PT50M</Refresh>
<Validity>
<Default>PT1H</Default>
<Denial>PT1H</Denial>
</Validity>
<Jitter>PT1M</Jitter>
<InceptionOffset>PT30S</InceptionOffset>
</Signatures>
...
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT300S</TTL>
<RetireSafety>PT360S</RetireSafety>
<PublishSafety>PT360S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>PT10S</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P3D</Lifetime>
<Repository>SafenetLuna7000</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>PT4H</Lifetime>
<Repository>SafenetLuna7000</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
...
</Policy>
Kind regards
--
---------------------------------------------
Juan Carlos Rodríguez Merino
NOC RedIRIS
Tel: 912127620 (Ext. 4345)
RedIRIS / Red.es
Edificio Bronce
Plaza de Manuel Gómez Moreno, s/n - 2ª planta
28020 Madrid
---------------------------------------------
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Juan Carlos Rodriguez
2016-10-10 14:38:26 UTC
Permalink
Thank you Yuri, I will do as you comment.

Juan Carlos
Post by Yuri Schaeffer
Hi Juan,
The conf.xml has a <AutomaticKeyGenerationPeriod> in the enforcer
section. If not specified it defaults to a year. If you use a policy
with a very short key lifetime, such as lab, you might want to set it
*much* lower.
https://wiki.opendnssec.org/display/DOCS20/conf.xml#conf.xml-Enforcer
Best regards,
Yuri
Post by Juan Carlos Rodriguez
Hi,
We have compiled the 2.0.1 version to test with our Luna HSM. We have
added one zone for testing (the policy is like "lab" policy but using
our HSM instead of softhsm), and a lot of ZSK keys (1761) have been
created. It is a new behavior or a bug?
policyName: testfast_safenet
Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: New
key needed for role KSK
Oct 10 11:03:59 dnssectest ods-enforcerd: [enforcer] updatePolicy: got
new key from HSM
Oct 10 11:03:59 dnssectest ods-enforcerd: 1 zone(s) found on policy
"testfast_safenet"
Oct 10 11:03:59 dnssectest ods-enforcerd: [hsm_key_factory_generate] 122
keys needed for 1 zones covering 31536000 seconds, generating 1 keys for
policy testfast_safenet
Oct 10 11:03:59 dnssectest ods-enforcerd: 1 new KSK(s) (2048 bits) need
to be created.
Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate] key
generation failed, HSM error: generate key pair: Unknown error
Oct 10 11:04:00 dnssectest ods-enforcerd: 1 zone(s) found on policy
"testfast_safenet"
Oct 10 11:04:00 dnssectest ods-enforcerd: [hsm_key_factory_generate]
2190 keys needed for 1 zones covering 31536000 seconds, generating 1761
keys for policy testfast_safenet
Oct 10 11:04:00 dnssectest ods-enforcerd: 1761 new ZSK(s) (2048 bits)
need to be created.
<Policy name="testfast_safenet">
<Description>Quick turnaround policy for lab
work</Description>
<Signatures>
<Resign>PT10M</Resign>
<Refresh>PT50M</Refresh>
<Validity>
<Default>PT1H</Default>
<Denial>PT1H</Denial>
</Validity>
<Jitter>PT1M</Jitter>
<InceptionOffset>PT30S</InceptionOffset>
</Signatures>
...
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT300S</TTL>
<RetireSafety>PT360S</RetireSafety>
<PublishSafety>PT360S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>PT10S</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P3D</Lifetime>
<Repository>SafenetLuna7000</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>PT4H</Lifetime>
<Repository>SafenetLuna7000</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
...
</Policy>
Kind regards
--
---------------------------------------------
Juan Carlos Rodríguez Merino
NOC RedIRIS
Tel: 912127620 (Ext. 4345)
RedIRIS / Red.es
Edificio Bronce
Plaza de Manuel Gómez Moreno, s/n - 2ª planta
28020 Madrid
---------------------------------------------
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
---------------------------------------------
Juan Carlos Rodríguez Merino
NOC RedIRIS
Tel: 912127620 (Ext. 4345)

RedIRIS / Red.es
Edificio Bronce
Plaza de Manuel Gómez Moreno, s/n - 2ª planta
28020 Madrid
---------------------------------------------
Loading...