On Thu, Mar 11, 2021 at 08:15:21AM +0100, Michael Grimm via Opendnssec-user wrote: > >> And, I found out (while investigating) that my SoftHSM repository is > >> huge … > >> > >> dns2> ls -al /var/lib/softhsm/tokens/x-y-z/ | wc > >> 9692 96912 910872 > >> > >> … that a … > >> > >> dns2> ods-hsmutil list > >> > >> Listing keys in all repositories. > >> > >> … hangs "forever" (1 hour at least). > >> > >> Hmm, is this something to worry about?
Not if it's that large. > > Depending on your ZSK-rollover frequency it might be that there are > > still a lot of old keys in the HSM which OpenDNSSEC has no information > > any longer. > > Rollover frequency is 90 days, not very frequently, though. > > Excuse my ignorance, but how can one find out which keys are needed and those > who are not? > And if found, how to purge them manually? > > I did google, but I couldn't find appropriate information in this regard. > But I might have well looked for the wrong "buzz words" ;-) Discrepancy between the keys listed using "ods-enforcer key list -v", where you would need the CKA_ID field, as compared to the list ods-hsmutil, the field ID. I would however refrain from deleting the keys manually. There may also be a large number of keys that have been pre-generated if you have set a long AutomaticKeyGenerationPeriod in compared to at least one of the key lifetimes in the kasp.xml policies. If you have a policy with a key roll of 7 days, with a (default) key generation period of one year, it will pre generate the keys for each of these zones for that period. \Berry _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
