[Opendnssec-user] Purging unreferenced keys from softhsm2

[Philip Paeps]

On 2021-07-09 15:55:25 (+0800), Berry van Halderen via Opendnssec-user 
wrote:

> On 2021-07-09 09:17, Philip Paeps via Opendnssec-user wrote:
>> Following my adventures upgrading a moderately neglected (but well
>> automated!) installation last month, I've been poking around the
>> filesystem looking for stale things that might come and bite me 
>> later.
>>
>> I discovered that I have 10016 files in /var/db/softhsm, 5006 of 
>> which
>> are named *.object. This seems a little excessive for 22 zones with
>> fairly boring policies:
>>
>> <Keys>
>>   <TTL>PT86400S</TTL>
>>   <RetireSafety>PT14400S</RetireSafety>
>>   <PublishSafety>PT14400S</PublishSafety>
>>   <Purge>P14D</Purge>
>>   <KSK>
>>     <Algorithm length="256">13</Algorithm>
>>     <Lifetime>P1Y</Lifetime>
>>     <Repository>SoftHSM</Repository>
>>   </KSK>
>>   <ZSK>
>>     <Algorithm length="256">13</Algorithm>
>>     <Lifetime>P90D</Lifetime>
>>     <Repository>SoftHSM</Repository>
>>   </ZSK>
>> </Keys>
>>
>> My enforcer setting is pretty boring too:
>>
>> <AutomaticKeyGenerationPeriod>P14D</AutomaticKeyGenerationPeriod>
>
> This is probably due to a problem in OpenDNSSEC in versions
> prior 2.1.8.  This caused keys to be deleted from the listing
> of keys, but not actively being removed from the HSM, as found by
> Stefan Ubbink from SIDN.  Since you have selected automatic
> purging of keys this (upon upgrade to 2.1.9) should be done
> automatically upon the next cycle of purging keys.  You can
> force this using "ods-enforcer purge -d".

I did some more digging and it looks like the keys are related to a 
policy which no longer exists.

sqlite> select count(*) from hsmKey where policyId = 2;
3465
sqlite> select * from policy where id = 2;
sqlite> select * from zone where policyId = 2;
sqlite>

I'm not sure if that makes the problem better or worse. :-)

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises