[Opendnssec-user] Re: Key NOT ALLOCATED

Thu, 08 May 2014 02:25:15 -0700 

Hi Sara,
Thanks for the fast response. This may explain it. We use shared keys and this key is used indeed for other zones. 


Is there is simple way to exclude the unallocated keys and get the old 
listing behaviour?

(I now use " | grep -v "NOT ALLOCATED".

This incompatible change broke one of my scripts, so I used this work-around 
to fix it, but I wonder whether there are other cases that may pop up 
later.)


Fred.Zwarts.


Hi Fred,


An extension was made to the ‘key list’ command in 1.4.4 based on a number 
of user requests (from the release notes):



* OPENDNSSEC-358: ods-ksmutil: Extend 'key list' command with options to 
filter on key type and state. This allows keys in the GENERATE and DEAD 
state to be output.


and the new syntax is described here:

https://wiki.opendnssec.org/display/DOCS/ods-ksmutil#ods-ksmutil-Command:keylist


One side effect of this is that additional keys may now also be listed in 
the default output because the results are no longer limited to only those 
keys that are allocated to zones. The NOT ALLOCATED text was added for such 
cases and would typically only be seen when viewing generated keys (for 
example, pre-generated keys are associated with a policy but are not 
allocated to zones until they are used).



In your case I see that the keys have the same CKA_ID, which suggests they 
were used on a shared policy. They may have been allocated to zones that 
were later deleted (and the keys were not deleted because they were in use 
by other zones)?


Sara.



On 8 May 2014, at 09:17, Fred.Zwarts 
<f.zwa...@kvi.nl> wrote:


I installed opendnssec 1.4.5 over an opendnssec 1.4.3 installation.


Now when I use the " ods-ksmutil key list --verbose" command I see lines 
that I did not see with the previous version:



NOT ALLOCATED                   KSK           dsready   When required 
(keypub)   2048    8           310a8e2e58cbafab7aa934e2a3fd8598  SoftHSM


and


NOT ALLOCATED                   KSK           dssub     waiting for ds-seen 
(dspub)    2048    8           310a8e2e58cbafab7aa934e2a3fd8598  SoftHSM


The words "NOT ALLOCATED" are seen where normally the domain name appears.
I assume that NOT ALLOCATED means that it is not allocated for a domain.

I don't understand how a key that is not allocated for a domain can be in 
the state dsready, or dssub.

Can somebody explain this?

_______________________________________________
Opendnssec-user mailing list
mailto:Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user



_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user






















					Reply via email to