-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.4
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
-
Environment:
OpenDNSSEC version 2.1.4, built from source on a standard Ubuntu16.04 linux distribution.
SoftHSM 2.5.0, built from source on Ubuntu16.04.
SQLite kasp db.
794 zones in the configuration.
I do a KSK rollover of all my zones in a given policy with the following command:
% ods-enforcer key rollover --policy norid-sld --keytype KSK
The policy norid-sld has 792 zones in it. The log tells me that a rollover is initiated for each of the zones and then starts to generate keys. But this proceeds very slowly, 8-10 seconds between each key being generated. So the whole process of generating the keys takes about 2.5 hours. During this period, the enforcer is constantly working, updating all the zones again and again. From the log, it seems that the enforcer is looping through all the 792 zones, and updating each of them between every key being generated.
The random device seems to have enough entropy all the time. As a test, by modifying the code, I have also tried to generate 792 keys in one batch, which only takes a few minutes.
Syslog:
Nov 26 08:42:54 server017 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: aa.no
Nov 26 08:42:54 server017 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: aarborte.no
Nov 26 08:42:54 server017 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: aejrie.no
[... repeated for all 792 zones ...]
Nov 26 08:42:56 server017 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: kommune.no
Nov 26 08:42:56 server017 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: gielda.no
Nov 26 08:42:56 server017 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: suohkan.no
Nov 26 08:42:56 server017 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: tjielte.no
Nov 26 08:42:56 server017 ods-enforcerd: [enforcer] update zone: aa.no
Nov 26 08:42:56 server017 ods-enforcerd: [enforcer] update zone: aarborte.no
Nov 26 08:42:56 server017 ods-enforcerd: [hsm_key_factory_get_key] no keys available
Nov 26 08:42:56 server017 ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy norid-sld, retry in 60 seconds
Nov 26 08:42:56 server017 ods-enforcerd: [enforce_task] No changes to signconf file required for zone aarborte.no
Nov 26 08:42:56 server017 ods-enforcerd: [enforcer] update zone: aejrie.no
Nov 26 08:42:56 server017 ods-enforcerd: [hsm_key_factory_get_key] no keys available
Nov 26 08:42:56 server017 ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy norid-sld, retry in 60 seconds
Nov 26 08:42:56 server017 ods-enforcerd: [enforce_task] No changes to signconf file required for zone aejrie.no
Nov 26 08:42:56 server017 ods-enforcerd: [enforcer] update zone: afjord.no
Nov 26 08:42:56 server017 ods-enforcerd: [hsm_key_factory_get_key] no keys available
Nov 26 08:42:56 server017 ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy norid-sld, retry in 60 seconds
Nov 26 08:42:56 server017 ods-enforcerd: [enforce_task] No changes to signconf file required for zone afjord.no
[... repeated for all zones ...]
Nov 26 08:42:58 server017 ods-enforcerd: 792 zone(s) found on policy "norid-sld"
Nov 26 08:42:58 server017 ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 792 zones covering 31536000 seconds, generating 1 keys for policy norid-sld
Nov 26 08:42:58 server017 ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created.
Nov 26 08:42:58 server017 ods-enforcerd: [enforcer] update zone: hurdal.no
Nov 26 08:42:58 server017 ods-enforcerd: [enforcer] update zone: holtalen.no
Nov 26 08:42:58 server017 ods-enforcerd: [hsm_key_factory_get_key] no keys available
Nov 26 08:42:58 server017 ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy norid-sld, retry in 60 seconds
Nov 26 08:42:58 server017 ods-enforcerd: [enforce_task] No changes to signconf file required for zone holtalen.no
Nov 26 08:42:58 server017 ods-enforcerd: [enforcer] update zone: horten.no
Nov 26 08:42:58 server017 ods-enforcerd: [hsm_key_factory_get_key] no keys available
[... repeated for all zones ...]
Nov 26 08:43:06 server017 ods-enforcerd: 792 zone(s) found on policy "norid-sld"
Nov 26 08:43:06 server017 ods-enforcerd: [hsm_key_factory_generate] 1 keys needed for 792 zones covering 31536000 seconds, generating 1 keys for poli
cy norid-sld
Nov 26 08:43:06 server017 ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created.
Nov 26 08:43:06 server017 ods-signerd: [signconf] zone aejrie.no signconf: RESIGN[PT2H] REFRESH[P10D] VALIDITY[P13D] DENIAL[P13D] KEYSET[PT0S] JITTER
[P1D] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT2H] MINIMUM[PT2H] SERIAL[counter]
Nov 26 08:43:06 server017 ods-signerd: [signconf] zone hurdal.no signconf: RESIGN[PT2H] REFRESH[P10D] VALIDITY[P13D] DENIAL[P13D] KEYSET[PT0S] JITTER
[P1D] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT2H] MINIMUM[PT2H] SERIAL[counter]
Nov 26 08:43:06 server017 ods-enforcerd: [enforcer] update zone: aarborte.no
Nov 26 08:43:06 server017 ods-enforcerd: [enforcer] update zone: aarborte.no
Nov 26 08:43:06 server017 ods-enforcerd: [enforcer] update zone: ah.no
Nov 26 08:43:06 server017 ods-enforcerd: [hsm_key_factory_get_key] no keys available
Nov 26 08:43:06 server017 ods-enforcerd: [enforcer] updatePolicy: No keys available in HSM for policy norid-sld, retry in 60 seconds
Nov 26 08:43:06 server017 ods-enforcerd: [enforce_task] No changes to signconf file required for zone ah.no
Nov 26 08:43:06 server017 ods-enforcerd: [enforcer] update zone: akershus.no
Nov 26 08:43:06 server017 ods-enforcerd: [hsm_key_factory_get_key] no keys available
[...]