[Opendnssec-user] OpenDNSSEC-2.1.8 and SoftHSM-2.6.1 and a huge(?) repository

Michael Grimm trashcan at ellael.org
Thu Mar 11 13:27:17 UTC 2021 

(Berry) A.W. van Halderen <berry at nlnetlabs.nl> wrote:
> On Thu, Mar 11, 2021 at 08:15:21AM +0100, Michael Grimm via Opendnssec-user wrote:

>>> Depending on your ZSK-rollover frequency it might be that there are
>>> still a lot of old keys in the HSM which OpenDNSSEC has no information
>>> any longer.
>> 
>> Rollover frequency is 90 days, not very frequently, though.
>> 
>> Excuse my ignorance, but how can one find out which keys are needed and those who are not?
>> And if found, how to purge them manually?
>> 
>> I did google, but I couldn't find appropriate information in this regard. 
>> But I might have well looked for the wrong "buzz words" ;-)
> 
> Discrepancy between the keys listed using "ods-enforcer key list -v", where
> you would need the CKA_ID field, as compared to the list ods-hsmutil, the
> field ID.  I would however refrain from deleting the keys manually.

In the meantime I did succeed in getting an output of "ods-hsmutil list" ...

> There may also be a large number of keys that have been pre-generated
> if you have set a long AutomaticKeyGenerationPeriod in compared to
> at least one of the key lifetimes in the kasp.xml policies.  If you
> have a policy with a key roll of 7 days, with a (default) key generation
> period of one year, it will pre generate the keys for each of these zones
> for that period.

… and now I understand what might had "happened" in having such a large repository for just 8 domains.

End of 2019 I did migrate from RSA to ECDSA keys, both for KSK and ZSK. And during that time I did some tests with very short key generation periods, which might have blown up my repository. Note: I did test my first KSK rollover with RSA.

Today I do find (zzz-ods-hsmutil-list is the output of a previous "ods-hsmutil list" run):

	dns2> wc zzz-ods-hsmutil-list 
	    4781   14339  320112 zzz-ods-hsmutil-list

	dns2> grep RSA zzz-ods-hsmutil-list | wc
	    4707   14121  315369

Thus less then 100 of my 4781 keys are ECDSA, and it would be very easy for me to remove no longer needed keys manually.

But, do you still recommend not to do so?
If not, when will these keys become purged automatically? 
Could be 10 years (lifetime of my KSKs)?

Thanks and regards,
Michael

More information about the Opendnssec-user mailing list