I have a policy for which I pre-generated keys. After removing the one zone from the policy, I ran "bin/ods-ksmutil key purge --policy quicky" which removed 5 keys (presumably the ones linked to that zone).
But now there are still plenty of keys in the HSM and database allocated to policy quicky (according to table keypairs), but when I try to re-add a zone to the policy, I get: Sep 13 14:45:46 opendnssec ods-enforcerd: Not enough keys to satisfy ksk policy for zone: quicky-large.lu Sep 13 14:45:46 opendnssec ods-enforcerd: ods-enforcerd will create some more keys on its next run Sep 13 14:45:46 opendnssec ods-enforcerd: Error allocating ksks to zone quicky-large.lu I understood from Sion that this is a known issue. But how do I get rid of the orphaned keys? Is there anything better than a commande along the lines of "DELETE FROM keypairs WHERE policy_id=2" (and piping the key id through ods-hsmutil remove)? Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
