[Opendnssec-user] OpenDNSSEC-2.1.8 and SoftHSM-2.6.1 and a huge(?) repository

Michael Grimm trashcan at ellael.org
Thu Mar 11 07:15:21 UTC 2021


Stefan Ubbink <Stefan.Ubbink at sidn.nl> wrote:
> 
> Michael Grimm via Opendnssec-user <opendnssec-user at lists.opendnssec.org> wrote:

>> And, I found out (while investigating) that my SoftHSM repository is
>> huge …
>> 
>> 	dns2> ls -al /var/lib/softhsm/tokens/x-y-z/ | wc   
>> 	9692 96912 910872 
>> 
>> … that a …
>> 
>> 	dns2> ods-hsmutil list  
>> 
>> 	Listing keys in all repositories.
>> 
>> … hangs "forever" (1 hour at least).
>> 
>> Hmm, is this something to worry about? 
> 
> Depending on your ZSK-rollover frequency it might be that there are
> still a lot of old keys in the HSM which OpenDNSSEC has no information
> any longer.

Rollover frequency is 90 days, not very frequently, though.

Excuse my ignorance, but how can one find out which keys are needed and those who are not?
And if found, how to purge them manually?

I did google, but I couldn't find appropriate information in this regard. 
But I might have well looked for the wrong "buzz words" ;-)

>> I am 3 days prior ZSK rollovers of several domains.
>> Besides that huge repository, everything looks normal to me.
> 
> When everything looks normal, it seems to me that it should continue to
> work normally.

Thanks, I will see ;-)

Thanks and regards,
Michael


More information about the Opendnssec-user mailing list