19 Srp
2021
19 Srp
'21
14:35
The general idea is to have a sufficiently large number of keys in reserve
- since the key generation process tends to be computationally intensive, I
do not want to have to generate keys as I need them, for that would have an
impact on the performance of the server. Anyway, I think that your answer
addresses my question all right; thanks.
On Thu, Aug 19, 2021 at 1:15 AM libor.peltan <libor.peltan(a)nic.cz> wrote:
Hi Luveh,
what do you need to achieve in first place?
What is your configured key lifetime? "Two years worth of keys" might be
just "three" for some operators ;)
Do you use `keymgr pregenerate` command to pre-generate the keys? Please
note, that this feature is intended mostly for Offline KSK operation. And
it pre-generates just ZSKs.
In any case, if you look at the output of `keymgr list`, you will see the
"timers" of each key. This should answer the question, in which order they
will be used: the lifetime phases of all the keys are already pre-planned.
Regarding Knot slowness: it is possible. Knot is programmed possibly
ineffectively when handling large amount of keys. The reason is, that
normally there are just few, or at most several keys in the zone.
Libor
Dne 18. 08. 21 v 22:59 Luveh Keraph napsal(a):
I have been looking into the key pre-generation capability of keymgr, and
the following question has come up:
Imagine I pre-generate, say, one month's worth of keys for a given zone.
This zone is defined so that it will be signed automatically on bringing up
the Knot server. Next I start the Knot server. What criteria are used in
order to select the keys, among the pre-generated ones, to be used to sign
this zone?
The reason I am asking is because I pre-generated two years worth of keys
for a particular zone, and when I started the Knot server it took a
significant amount of time selecting the appropriate keys from among the
pre-generated ones.