[Opendnssec-user] Removing old keys and policies

Julian Brost julian at 0x4a42.net
Mon Aug 21 10:33:32 UTC 2017

On 21.08.2017 09:37, Hoda Rohani wrote:
> Hello,
> On 19-08-17 17:07, Julian Brost wrote:
>> Hi,
>> I'm currently running OpenDNSSEC 2.1.3 and after some experimenting, I
>> now want to remove some old policies and keys. Some of the testing has
>> already been done using version 1.4 or 2.0 and the installation was
>> upgraded.
>> When I try to remove the old policy "lab2", I get this error:
>> # ods-enforcer policy import -r
>> [...]
>> Unable to delete policy lab2, there are still hsm keys using this policy!
>> However, there is no zone left using that policy and trying to purge its
>> keys doesn't succeed either:
>> # ods-enforcer key purge -p lab2
>> No zones on policy lab2
>> No keys to purge
> Didn't expect that.

I think these keys are somehow left over from my experiments with
SoftHSM v2 where I at some point deleted all test zones using that repo
and wiped the SoftHSM v2 store.

>> What's the best way to proceed in this situation? Are there any tools
>> that can help me? Is it safe to manually remove keys from the table
>> "hsmKey" in the database after stopping OpenDNSSEC?
> I'd like to see your database. Is it possible to send it privately to me?

Sure, you'll receive another mail in a few moments.


More information about the Opendnssec-user mailing list