[Opendnssec-user] Release candidate for OpenDNSSEC 2.1.8

Vincent Levigneron vincent.levigneron at afnic.fr
Thu Nov 19 21:46:46 UTC 2020 

Dear Berry,

Concerning the purge issue, is it supposed to fix the case when commands
tell keys are deleted in Database and HSM and are still there in both
of them (I am running 2.1.6 version) ?

Here is an example :

> ods-enforcer key purge --zone=bzh
deleting key: 0d5d04110c9321cc6920b6bfd8982c4a
deleting key: 3f78d78db7cfd77e8ba0ec538852e307

> ods-enforcer backup list
Locator:                         Repository:      Backup state:
0d5d04110c9321cc6920b6bfd8982c4a AEPKeyper        Not Required
3f78d78db7cfd77e8ba0ec538852e307 AEPKeyper        Not Required

Keys are still in Database...

pkcs11-list
Enter Pin:
[...]
object[4]: handle 2147483736 class 3 label[32] '3f78d78db7cfd77e8ba0ec538852e307' id[16] 0x3f78d78db7cfd77e... E:never
object[5]: handle 2147483735 class 2 label[32] '3f78d78db7cfd77e8ba0ec538852e307' id[16] 0x3f78d78db7cfd77e...
object[6]: handle 2147483650 class 3 label[32] '0d5d04110c9321cc6920b6bfd8982c4a' id[16] 0x0d5d04110c9321cc... E:never
object[7]: handle 2147483649 class 2 label[32] '0d5d04110c9321cc6920b6bfd8982c4a' id[16] 0x0d5d04110c9321cc...
[...]

... and in the HSM.

I understand that with the additional --delete flag in 2.1.8, keys will be
removed from the HSM but are they supposed to be removed from the DB too ?

Regards,

    Vincent
le 18 nov., (Berry) A.W. van Halderen via Opendnssec-user a ?crit :
> Dear all,
> 
> I've made a release candidate for a release of OpenDNSSEC (2.1.8rc1), to
> fix an issue with the purging of keys from the HSM.  Since the nature
> of the operation I've opted to release it as a release candidate first.
> Another issue being fixed a bug causing a crash after not having run
> OpenDNSSEC in the midst of a ZSK when you're zone would have gone bogus
> already.
> 
> To the key purge problem.  Either when manually purging keys, or having
> specified a <Purge> in your key policy (kasp.xml), the keys are suppost
> to be removed from the HSM.  However, for some time, the keys were marked
> for deletion, and became invisible, but the removal from the HSM was
> skipped.  In this release candidate this is fixed, but still allowing
> keys not to be removed entirely.  When you specify an automatic purge
> then the keys will, after the specified period, will be completely
> removed.  When you purge manually, keys are not removed from the HSM
> unless you specify an additional flag (the --delete or -d flag).
> 
> Unless I get negative reports, I'll make a release from this fix after
> a 1 or 2 weeks grace period.  The release candidate is available here:
> 
>   https://dist.opendnssec.org/source/testing/opendnssec-2.1.8rc1.tar.gz
> 
> \Berry
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-- 
	Vincent Levigneron  A.F.N.I.C.  Vincent.Levigneron at afnic.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20201119/f7af02f9/attachment.bin>

More information about the Opendnssec-user mailing list