Hi, I'm using OpenDNSSEC 2.1.4, and I'm seeing some strange behaviour when I try to do a KSK rollover on a set of zones. I'm doing a rollover of all my zones within a given policy. The command I use is:
% sudo ods-enforcer key rollover --keytype KSK --policy mypolicy Enforcer then starts to generate new keys for my 792 zones but this is done rather slowly, approximately 10 secs per key. Each time a key is generated, I see the following message in the log: Nov 12 07:44:33 server01 ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 792 zones covering 31536000 seconds, generating 1 keys for policy mypolicy I would expect it to say something like '792 keys needed for 792 zones' since I'm not using shared keys. Between every key generated, Enforcer seems to be looping through all the zones, logging messages like this: Nov 12 08:00:17 server01 ods-enforcerd: [enforcer] update zone: myzone.no Nov 12 08:00:17 server01 ods-enforcerd: [hsm_key_factory_get_key] no keys available Nov 12 08:00:17 server01 ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy mypolicy, retry in 60 seconds Is this the correct/expected behaviour or am I doing something wrong? Regards, Erik Østlyngen Norid AS www.norid.no _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
