[Opendnssec-user] Removing old keys and policies

Julian Brost julian at 0x4a42.net
Sat Aug 19 15:07:54 UTC 2017


Hi,

I'm currently running OpenDNSSEC 2.1.3 and after some experimenting, I
now want to remove some old policies and keys. Some of the testing has
already been done using version 1.4 or 2.0 and the installation was
upgraded.

When I try to remove the old policy "lab2", I get this error:

# ods-enforcer policy import -r
[...]
Unable to delete policy lab2, there are still hsm keys using this policy!

However, there is no zone left using that policy and trying to purge its
keys doesn't succeed either:

# ods-enforcer key purge -p lab2
No zones on policy lab2
No keys to purge

What's the best way to proceed in this situation? Are there any tools
that can help me? Is it safe to manually remove keys from the table
"hsmKey" in the database after stopping OpenDNSSEC?

Regards,
Julian



More information about the Opendnssec-user mailing list