[Opendnssec-user] adding a zone, key processing fails

Tom Hendrikx tom at whyscream.net
Mon Dec 13 14:14:24 CET 2010

On 13/12/10 12:57, Sion Lloyd wrote:
>> Inspecting kasp.db does list the keys that are unknown to the HSM, even
>> after the re-adding and removal of zone example.com, which gets these
>> keys added to it. I'll send you the kasp.db off-list, but I assume that
>> it would be possible to use regular SQL to remove the missing keys from
>> the kasp.db 'keypairs' table?
> Yes, that would work. It looks like the keys were never used, so the system 
> thinks that they are available for any new zone that you add.
> I'm still unsure as to how the database got into this state, deleting the zone 
> should leave the keys in the HSM. Unless you run "ods-ksmutil key purge".

ods-ksmutil key purge does not remove them, despite looking up the
correct policy to use in the purge command (maybe because removing the
key from the HSM fails?)

Manually deleting them from the kasp.db did work. I now have a new and
nicely signed example.com zone. Thanks for helping out. ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101213/5064e937/attachment.sig>

More information about the Opendnssec-user mailing list