[Opendnssec-user] OpenDNSSEC-2.1.8 and SoftHSM-2.6.1 and a huge(?) repository
Stefan Ubbink
Stefan.Ubbink at sidn.nl
Thu Mar 11 06:01:21 UTC 2021
On Wed, 10 Mar 2021 20:26:44 +0100
Michael Grimm via Opendnssec-user
<opendnssec-user at lists.opendnssec.org> wrote:
> Hi,
Hello Michael,
> I updated to OpenDNSSEC 2.1.8 today, and found a lot of …
>
> [hsm_key_factory_get_key] removing key
> 1a0ff0971e71b7de02685c762da272bb from HSM
>
> … in my ods' logfile.
>
> I do assume that this has to do with what is mentioned in the release
> notes:
>
> This release of 2.1.8 fixes a number of bugs related to the
> purging of keys, ...
>
> Correct?
Yes, that is correct.
> And, I found out (while investigating) that my SoftHSM repository is
> huge …
>
> dns2> ls -al /var/lib/softhsm/tokens/x-y-z/ | wc
> 9692 96912 910872
>
> … that a …
>
> dns2> ods-hsmutil list
>
> Listing keys in all repositories.
>
> … hangs "forever" (1 hour at least).
>
> Hmm, is this something to worry about?
Depending on your ZSK-rollover frequency it might be that there are
still a lot of old keys in the HSM which OpenDNSSEC has no information
any longer.
> I am 3 days prior ZSK rollovers of several domains.
> Besides that huge repository, everything looks normal to me.
When everything looks normal, it seems to me that it should continue to
work normally.
--
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210311/f7313abd/attachment.bin>
More information about the Opendnssec-user
mailing list