[Opendnssec-user] Purging unreferenced keys from softhsm2
Philip Paeps
philip at trouble.is
Fri Jul 9 08:07:26 UTC 2021
On 2021-07-09 15:55:25 (+0800), Berry van Halderen via Opendnssec-user wrote:
> On 2021-07-09 09:17, Philip Paeps via Opendnssec-user wrote:
>> Following my adventures upgrading a moderately neglected (but well
>> automated!) installation last month, I've been poking around the
>> filesystem looking for stale things that might come and bite me later.
>>
>> I discovered that I have 10016 files in /var/db/softhsm, 5006 of which
>> are named *.object. This seems a little excessive for 22 zones with
>> fairly boring policies:
>>
>> <Keys>
>> <TTL>PT86400S</TTL>
>> <RetireSafety>PT14400S</RetireSafety>
>> <PublishSafety>PT14400S</PublishSafety>
>> <Purge>P14D</Purge>
>> <KSK>
>> <Algorithm length="256">13</Algorithm>
>> <Lifetime>P1Y</Lifetime>
>> <Repository>SoftHSM</Repository>
>> </KSK>
>> <ZSK>
>> <Algorithm length="256">13</Algorithm>
>> <Lifetime>P90D</Lifetime>
>> <Repository>SoftHSM</Repository>
>> </ZSK>
>> </Keys>
>>
>> My enforcer setting is pretty boring too:
>>
>> <AutomaticKeyGenerationPeriod>P14D</AutomaticKeyGenerationPeriod>
>>
>
> This is probably due to a problem in OpenDNSSEC in versions
> prior 2.1.8. This caused keys to be deleted from the listing
> of keys, but not actively being removed from the HSM, as found by
> Stefan Ubbink from SIDN. Since you have selected automatic
> purging of keys this (upon upgrade to 2.1.9) should be done
> automatically upon the next cycle of purging keys. You can
> force this using "ods-enforcer purge -d".
I should have mentioned that I did that first. :-)
A 'ods-enforcer key purge -d' removed 576 keys. Definitely an improvement!
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
More information about the Opendnssec-user
mailing list