On 13/12/10 12:57, Sion Lloyd wrote: >> Inspecting kasp.db does list the keys that are unknown to the HSM, even >> after the re-adding and removal of zone example.com, which gets these >> keys added to it. I'll send you the kasp.db off-list, but I assume that >> it would be possible to use regular SQL to remove the missing keys from >> the kasp.db 'keypairs' table? > > Yes, that would work. It looks like the keys were never used, so the system > thinks that they are available for any new zone that you add. > > I'm still unsure as to how the database got into this state, deleting the > zone > should leave the keys in the HSM. Unless you run "ods-ksmutil key purge". >
ods-ksmutil key purge does not remove them, despite looking up the correct policy to use in the purge command (maybe because removing the key from the HSM fails?) Manually deleting them from the kasp.db did work. I now have a new and nicely signed example.com zone. Thanks for helping out. ;) -- Tom
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
