[Opendnssec-user] Remove keys not in repository
Yuri Schaeffer
yuri at nlnetlabs.nl
Sun Jun 11 19:28:54 UTC 2017
Hi Arun,
What version of OpenDNSSEC are you using?
//Yuri
On 11-06-17 11:05, Arun Natarajan wrote:
> Hello,
>
> I accidentally ended up in a state which - the key with CKA_ID
> "fc1c149afbf4c8996fb92427" is not existing on SoftHSM.
>
> example.com <http://example.com> ZSK
> active 2017-12-15 14:35:15 (retire) 2048 8
> fc1c149afbf4c8996fb92427 SoftHSM_1 NOT IN repository
> example.com <http://example.com> KSK
> ready waiting for ds-seen (active) 2048 8
> fc1c149afbf4c8996fb92427 SoftHSM_2 NOT IN repository
>
> But ods put those keys in active state for ZSK and ready state
> (ds-seen) for KSK. Basically I cannot just delete the keys from ODS.
>
> "The enforcer believes that this key is in use, quitting..."
>
> With a roll over the ZSK is fine, it published a new key, but for KSK
> ds-seen or roll over does not help.
>
> - ds-seen
> "
> cka_id fc1c149afbf4c8996fb92427 in DB but NOT IN repository
> No keys in the READY state matched your parameters, please check the
> parameters
> "
>
> appreciate any advice, to get rid of the non-hsm KSK CKA_ID?
>
> -
> Thanks
> Arun
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170611/ed89e122/attachment.bin>
More information about the Opendnssec-user
mailing list