[Opendnssec-user] Trying to purge a key with "unknown key state"

Siôn Lloyd sion at nominet.org.uk
Tue Jan 8 09:20:35 UTC 2013

On 07/01/13 18:05, Paul Wouters wrote:
> I'm trying to kill all references to a key in ods/softhsm
> ~> ods-ksmutil key ksk-retire --keytag 12345
> *WARNING* This will retire the currently active KSK; are you sure?
> [y/N] y
> Found key with CKA_ID 02e940a73755801f75bc9744c608dc5e
> Key 02e940a73755801f75bc9744c608dc5e retired
> ~> ods-ksmutil key delete --cka_id 12345
> Failed to determine the state of the key
> The problem is that this key is still showing up in the signconf XML
> file, and is re-introduced when running ods-ksmutl update all.  But it
> has a wrong algorithm, and it just needs to vanish completely, as it is
> just breaking the signerd (which also dies upon encountering this)
> Is there a way to force deletion without knowing the state of the key?

No; at least not without running SQL against the kasp database... (The
theory is that we do not want to delete keys if we are not certain that
they are not being used somewhere else.)

Does the key show up in a key list command?


More information about the Opendnssec-user mailing list