[Opendnssec-user] Purging unreferenced keys from softhsm2

Berry van Halderen berry at nlnetlabs.nl
Fri Jul 9 07:55:25 UTC 2021

On 2021-07-09 09:17, Philip Paeps via Opendnssec-user wrote:
> Following my adventures upgrading a moderately neglected (but well
> automated!) installation last month, I've been poking around the
> filesystem looking for stale things that might come and bite me later.
> I discovered that I have 10016 files in /var/db/softhsm, 5006 of which
> are named *.object. This seems a little excessive for 22 zones with
> fairly boring policies:
> <Keys>
>   <TTL>PT86400S</TTL>
>   <RetireSafety>PT14400S</RetireSafety>
>   <PublishSafety>PT14400S</PublishSafety>
>   <Purge>P14D</Purge>
>   <KSK>
>     <Algorithm length="256">13</Algorithm>
>     <Lifetime>P1Y</Lifetime>
>     <Repository>SoftHSM</Repository>
>   </KSK>
>   <ZSK>
>     <Algorithm length="256">13</Algorithm>
>     <Lifetime>P90D</Lifetime>
>     <Repository>SoftHSM</Repository>
>   </ZSK>
> </Keys>
> My enforcer setting is pretty boring too:
> <AutomaticKeyGenerationPeriod>P14D</AutomaticKeyGenerationPeriod>

This is probably due to a problem in OpenDNSSEC in versions
prior 2.1.8.  This caused keys to be deleted from the listing
of keys, but not actively being removed from the HSM, as found by
Stefan Ubbink from SIDN.  Since you have selected automatic
purging of keys this (upon upgrade to 2.1.9) should be done
automatically upon the next cycle of purging keys.  You can
force this using "ods-enforcer purge -d".


More information about the Opendnssec-user mailing list