[Opendnssec-user] get rid of orphaned keys?

Gilles Massen gilles.massen at restena.lu
Mon Sep 13 12:52:25 UTC 2010


I have a policy for which I pre-generated keys. After removing the one
zone from the policy, I ran "bin/ods-ksmutil key purge --policy quicky"
which removed 5 keys (presumably the ones linked to that zone).

But now there are still plenty of keys in the HSM and database allocated
to policy quicky (according to table keypairs), but when I try to re-add
a zone to the policy, I get:

Sep 13 14:45:46 opendnssec ods-enforcerd: Not enough keys to satisfy ksk
policy for zone: quicky-large.lu
Sep 13 14:45:46 opendnssec ods-enforcerd: ods-enforcerd will create some
more keys on its next run
Sep 13 14:45:46 opendnssec ods-enforcerd: Error allocating ksks to zone
quicky-large.lu

I understood from Sion that this is a known issue.

But how do I get rid of the orphaned keys? Is there anything better than
a commande along the lines of "DELETE FROM keypairs WHERE policy_id=2"
(and piping the key id through ods-hsmutil remove)?

Gilles

-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473



More information about the Opendnssec-user mailing list