[Opendnssec-user] OpenDNSSEC-2.1.8 and SoftHSM-2.6.1 and a huge(?) repository
(Berry) A.W. van Halderen
berry at nlnetlabs.nl
Thu Mar 11 10:16:52 UTC 2021
On Thu, Mar 11, 2021 at 08:15:21AM +0100, Michael Grimm via Opendnssec-user wrote:
> >> And, I found out (while investigating) that my SoftHSM repository is
> >> huge …
> >>
> >> dns2> ls -al /var/lib/softhsm/tokens/x-y-z/ | wc
> >> 9692 96912 910872
> >>
> >> … that a …
> >>
> >> dns2> ods-hsmutil list
> >>
> >> Listing keys in all repositories.
> >>
> >> … hangs "forever" (1 hour at least).
> >>
> >> Hmm, is this something to worry about?
Not if it's that large.
> > Depending on your ZSK-rollover frequency it might be that there are
> > still a lot of old keys in the HSM which OpenDNSSEC has no information
> > any longer.
>
> Rollover frequency is 90 days, not very frequently, though.
>
> Excuse my ignorance, but how can one find out which keys are needed and those who are not?
> And if found, how to purge them manually?
>
> I did google, but I couldn't find appropriate information in this regard.
> But I might have well looked for the wrong "buzz words" ;-)
Discrepancy between the keys listed using "ods-enforcer key list -v", where
you would need the CKA_ID field, as compared to the list ods-hsmutil, the
field ID. I would however refrain from deleting the keys manually.
There may also be a large number of keys that have been pre-generated
if you have set a long AutomaticKeyGenerationPeriod in compared to
at least one of the key lifetimes in the kasp.xml policies. If you
have a policy with a key roll of 7 days, with a (default) key generation
period of one year, it will pre generate the keys for each of these zones
for that period.
\Berry
More information about the Opendnssec-user
mailing list