[Opendnssec-user] Key Management: History and Future

Sebastian Castro sebastian at nzrs.net.nz
Mon Mar 11 20:17:43 UTC 2013

On 12/03/13 04:29, Klaus Darilion wrote:
> Hi!

Hi Klaus,

> As an ODS newbie I try to understand the key usage of ODS in an existing
> ODS deployment. "ods-hsmutil  list" shows me plenty of keys. Some of
> them are currently used, some of them are "removed", and some of them
> will be used in the future. Unfortunately "ods-ksmutil key list -v" only
> shows me the currently used keys.

For clarity, ods-hsmutil and ods-ksmutil are two utilities for different

ods-hsmutil interacts with your HSM, show you keys and their IDs
(CKA_ID), you can do benchmarking, create keys, etc.

ods-ksmutil is intended for querying the KASP (Key and Signing Policy)
database, that contains the zones you are signing, which keys are being
used for signing, the current status of the keys, etc.

Effectively "ods-ksmutil key list -v" doesn't show the keys in GENERATE
or DEAD state, there is a feature request for it (actually more than one)


> So, if I want to delete old keys from the HSM, who do I know which HSM
> keys are deprecated?

HSM doesn't know about deprecated or dead keys, is the KASP who knows
that. You can use "ods-ksmutil key purge" to remove keys that are no
longer needed

> Further, is there a way to find out how many of the HSM keys are
> "Generated"? For example I want to know how long ODS can operate before
> running out of keys (e.g. to be included into a monitoring system).

Given it's not provided by ods-ksmutil yet, for our setup we wrote some
Perl code that reads the KASP and gives you a number of "unallocated"
keys per policy (given keys in the GENERATE state are not associated to
a policy).

The query is something like this:

SELECT location, policy_id
FROM keydata_view
WHERE zone_id is NULL
  AND policy_id = ?
  AND securitymodule_id = ?
  AND size = ?
  AND algorithm = ?

Bear in mind the query depends on the version of OpenDNSSEC you are
using, if there are changes to the KASP, it could be invalidated.

I hope it helps,


> Thanks
> Klaus
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list