Hi,
If there isn't any bug in the implementation, Knot DNS deletes old keys
from (soft)HSM as well. It would be very impractical otherwise!
Daniel
On 2021-09-08 19:13, Luveh Keraph wrote:
Thanks. The situation that I am addressing is that of a key roll over.
My guess is that when such an event takes place Knot will
automatically remove the obsolete key from the KASP, but not from the
HSM. Which, in the case of SoftHSM, implies that keys will be added to
the corresponding token directory indefinitely. I am guessing that a
judicious use of keymgr list and keymgr delete will enable an
administrator to remove old keys from the HSM - but it will have to be
done by hand: Knot will not do so on its own. Is this a correct view
of the way things are?
On Wed, Sep 8, 2021 at 9:29 AM libor.peltan <[email protected]>
wrote:
Hi Luveh,
when just re-signing the zone, Knot does not need to generate any
newer key pairs. It's just still using the key pair it has generated
initally (for each zone separately).
Only in the case of ZSK and KSK rollovers, when the keys (ZSK and
KSK, respectively) reach their configured lifetime, new keys are
generated and old are rolled-over (in a bit complicated, multi-step
process) and deleted afterwards, so that in usual case, only 2 keys
per zone are present.
In case of single-type signing scheme, it's just one key per zone
(CSK).
Anyway, any keys can be deleted (if needed) by the keymgr utility.
One just needs to check that the key being deleted is not needed
anymore ;)
Libor
Dne 08. 09. 21 v 17:23 Luveh Keraph napsal(a):
When Knot generates a key pair, it will save it in some directory
in the filesystem - in the clear, when using the default
cryptographic provider, or as an encrypted blob when using
SoftHSM, or (possibly) a real HSM.
Imagine that I have a setup with many zones, with a signing policy
that causes them to be re-signed often - say, every hour or so.
This implies that new key pairs will be generated all the time.
My question is, how does Knot manage key pairs that it does not
need any more? It does not seem to remove them automatically. Does
it provide any mechanisms or tools to do so?
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users
