On 16.07.2013 13:30, Gavin Brown wrote:
Hi there,
We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
likely to need up-front, so that we only ever need to do a single backup.
We're using this command to generate the keys:
ods-ksmutil key generate --policy default --interval [PERIOD]
where [PERIOD] is:
number of zones * expected life of the system
IIRC it is not necessary to specify 1000 years. If you have configured
100 zones using all the default policy, then it should be fine to just
specify 10Y as interval - ODS automatically detects that this policy is
used for 100 zones and automatically generates 100 times the required keys.
As test:
# configure one zone
# create the keys
ods-ksmutil key generate --policy default --interval P10Y
--> keys are generated
# create the keys again
ods-ksmutil key generate --policy default --interval P10Y
--> no keys are generated as there are already enough keys
# configure a second zone with the same policy
# create the keys
ods-ksmutil key generate --policy default --interval P10Y
--> again keys are generated as there are not enough keys to fulfill the
policy for 10 years with this amount of zones
regards
Klaus
assuming 1 KSK rollover per year. We are planning on 100 zones and
optimistically a 10 year life for the system, equalling 1000 years.
When we try to generate this many keys, we get this error:
Error: unable to convert Interval P1000Y to seconds, error: interval too
long to be an int. E.g. Maximum is ~68 years on a system with 32-bit
integers.
This is on a 64bit system, so why do we get this error?
Thanks,
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
