[Opendnssec-user] ods-enforcerd: [hsm_key_factory_delete_key] unable to remove key
(Berry) A.W. van Halderen
berry at nlnetlabs.nl
Fri Mar 5 10:13:12 UTC 2021
On Wed, Mar 03, 2021 at 11:44:44AM +0100, Stefan Ubbink via Opendnssec-user wrote:
> I'm running OpenDNSSEC 2.1.8 in our acceptance environment and when I
> try to purge keys from the politie zone it gives the message in the
> subject.
>
> I run the following command:
> root at ede1-signa1:~# ods-enforcer key purge --zone politie --delete
> No keys to purge for politie
> Found no keys to delete from HSM
> root at ede1-signa1:~#
I believe this happened because the key has been manually removed from
the HSM without telling OpenDNSSEC because of the bug fixed in 2.1.8.
> And I can understand that is unable to delete this key from the HSM,
> because it is no longer available in the HSM:
> root at ede1-signa1:~# ods-hsmutil list HSM-OTA | grep cc4a433a33a40fce18717beea330a3d1
> root at ede1-signa1:~#
>
> How can I tell OpenDNSSEC that this key has already been removed from
> the HSM and it should no longer try to remove it from the HSM.
> I thought about removing it from hsmKey table in the MySQL database
> directly. But I don't know if this has any side effects.
>
I think we need to do this indeed thru the database, I believe you know
the query (a delete from a single table). This will not have any
side effects.
\Berry
More information about the Opendnssec-user
mailing list