-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.10
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
-
Environment:
OpenDNSSEC 2.1.10 with AutomaticKeyGenerationPeriod set to P1Y and multiple zones per policy. And the RequireBackup option enabled.
ods-enforcerd mentions the following in the log:
ods-enforcerd: [hsm_key_factory_generate] 5 keys needed for 2 zones covering 31536000 seconds, generating 1 keys for policy default
The 31536000 seconds is 365 days (P1Y) which is configured for the AutomaticKeyGenerationPeriod. And with a default policy which uses a ZSK Lifetime of P90D, 5 keys should be generated.
But I would expect this value be multiplied with the number of zones that use that policy.
Because when I would have 10 zones that use that policy, there would only be 5 keys pre-generated, which can be put in a backup. And when all the zones have the ZSK within a short time period, not all zones will be able to use a new key, because there are no backuped keys available.
I would like OpenDNSSEC to use the following calculation for the number of needed keys:
ceil(<AutomaticKeyGenerationPeriod>/<ZSK Lifetime>)*<Number of zones that use the policy>
If needed this could be a configuration option.