Uploaded image for project: 'OpenDNSSEC'
  1. OpenDNSSEC
  2. OPENDNSSEC-752

Error allocating ksks / zsks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.13
    • Fix Version/s: 1.4.14
    • Component/s: Enforcer
    • Labels:
      None

      Description

      [Opendnssec-user] Error allocating ksks / zsks 2016/01/25

      I had reason to inspect the log from the physical console on our
      signer host, and found messages from ods-enforcerd related to two
      of our zones:

      Jan 24 17:07:01 hugin ods-enforcerd: Error allocating ksks to zone godegrep.no
      Jan 24 17:07:16 hugin ods-enforcerd: Error allocating zsks to zone 2.1.2.6.1.9.3.7.7.4.nrenum.net

      and that this is a recurring theme.

      Looking at the log reveals a bit more:

      Jan 25 14:12:48 hugin ods-enforcerd: Zone godegrep.no found.
      Jan 25 14:12:48 hugin ods-enforcerd: Policy for godegrep.no set to default.
      Jan 25 14:12:48 hugin ods-enforcerd: Config will be output to /var/opendnssec/signconf/godegrep.no.xml.
      Jan 25 14:12:48 hugin ods-enforcerd: Not enough keys to satisfy ksk policy for zone: godegrep.no. keys_to_allocate(1) = keys_needed(1) - (keys_available(1) - keys_pending_retirement(1))
      Jan 25 14:12:48 hugin ods-enforcerd: Tried to allocate 1 keys, failed on allocating key number 1
      Jan 25 14:12:48 hugin ods-enforcerd: ods-enforcerd will create some more keys on its next run
      Jan 25 14:12:48 hugin ods-enforcerd: Error allocating ksks to zone godegrep.no

      It seems to me that the calculation above wrt. keys_to_allocate
      is correct, but the statement that ods-enforcerd will create more
      keys on its next run appears to be a blatant lie.

      Listing the keys for these zones reveals that some of the "Date
      of next transition" has come and gone without the transition to
      the next state having taken place, and one of the key sets has a
      key in "generate" state which isn't visible witout the "-all"
      switch:

      ods @ hugin:

      {6}

      ods-ksmutil key list -all --zone godegrep.no
      Keys:
      Zone: Keytype: State: Date of next transition:
      godegrep.no KSK active 2015-12-13 15:12:43
      godegrep.no ZSK retire 2015-12-29 09:45:48
      godegrep.no ZSK active 2016-01-07 04:30:48
      godegrep.no ZSK generate (not scheduled)

      ods @ hugin:

      {7}

      ods-ksmutil key list --all --zone 2.1.2.6.1.9.3.7.7.4.nrenum.net
      Keys:
      Zone: Keytype: State: Date of next transition:
      2.1.2.6.1.9.3.7.7.4.nrenum.net KSK active 2016-12-09 23:42:31
      2.1.2.6.1.9.3.7.7.4.nrenum.net ZSK active 2016-01-06 00:25:00

      ods @ hugin:

      {8}

      I'm not sure when this started.

      So...

      1) Any idea how OpenDNSSEC got itself into this state?

      2) Are there any manual steps I have to perform to get it out of
      this state for these two zones?

      3) Rhetorical: why doesn't OpenDNSSEC recover by itself from this?

        Attachments

          Activity

            People

            Assignee:
            yuri Yuri Schaeffer
            Reporter:
            yuri Yuri Schaeffer
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: