[Opendnssec-user] ods-enforcerd: [hsm_key_factory_delete_key] unable to remove key
Stefan Ubbink
Stefan.Ubbink at sidn.nl
Wed Mar 3 10:44:44 UTC 2021
Hello,
I'm running OpenDNSSEC 2.1.8 in our acceptance environment and when I
try to purge keys from the politie zone it gives the message in the
subject.
I run the following command:
root at ede1-signa1:~# ods-enforcer key purge --zone politie --delete
No keys to purge for politie
Found no keys to delete from HSM
root at ede1-signa1:~#
The logging shows the following:
Mar 3 11:34:09 ede1-signa1 ods-enforcerd: received command key purge --zone politie --delete
Mar 3 11:34:09 ede1-signa1 ods-enforcerd: [hsm_key_factory_delete_key] looking for keys to purge from HSM
Mar 3 11:34:09 ede1-signa1 ods-enforcerd: [hsm_key_factory_delete_key] unable to remove key cc4a433a33a40fce18717beea330a3d1
And I can understand that is unable to delete this key from the HSM,
because it is no longer available in the HSM:
root at ede1-signa1:~# ods-hsmutil list HSM-OTA | grep cc4a433a33a40fce18717beea330a3d1
root at ede1-signa1:~#
How can I tell OpenDNSSEC that this key has already been removed from
the HSM and it should no longer try to remove it from the HSM.
I thought about removing it from hsmKey table in the MySQL database
directly. But I don't know if this has any side effects.
--
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210303/fb84a1ce/attachment.bin>
More information about the Opendnssec-user
mailing list