Re: [Opendnssec-user] OpenDNSSEC-2.1.8 and SoftHSM-2.6.1 and a huge(?) repository

Thu, 11 Mar 2021 05:28:00 -0800 

(Berry) A.W. van Halderen <be...@nlnetlabs.nl> wrote:
> On Thu, Mar 11, 2021 at 08:15:21AM +0100, Michael Grimm via Opendnssec-user 
> wrote:

>>> Depending on your ZSK-rollover frequency it might be that there are
>>> still a lot of old keys in the HSM which OpenDNSSEC has no information
>>> any longer.
>> 
>> Rollover frequency is 90 days, not very frequently, though.
>> 
>> Excuse my ignorance, but how can one find out which keys are needed and 
>> those who are not?
>> And if found, how to purge them manually?
>> 
>> I did google, but I couldn't find appropriate information in this regard. 
>> But I might have well looked for the wrong "buzz words" ;-)
> 
> Discrepancy between the keys listed using "ods-enforcer key list -v", where
> you would need the CKA_ID field, as compared to the list ods-hsmutil, the
> field ID.  I would however refrain from deleting the keys manually.

In the meantime I did succeed in getting an output of "ods-hsmutil list" ...

> There may also be a large number of keys that have been pre-generated
> if you have set a long AutomaticKeyGenerationPeriod in compared to
> at least one of the key lifetimes in the kasp.xml policies.  If you
> have a policy with a key roll of 7 days, with a (default) key generation
> period of one year, it will pre generate the keys for each of these zones
> for that period.

… and now I understand what might had "happened" in having such a large 
repository for just 8 domains.

End of 2019 I did migrate from RSA to ECDSA keys, both for KSK and ZSK. And 
during that time I did some tests with very short key generation periods, which 
might have blown up my repository. Note: I did test my first KSK rollover with 
RSA.

Today I do find (zzz-ods-hsmutil-list is the output of a previous "ods-hsmutil 
list" run):

        dns2> wc zzz-ods-hsmutil-list 
            4781   14339  320112 zzz-ods-hsmutil-list

        dns2> grep RSA zzz-ods-hsmutil-list | wc
            4707   14121  315369

Thus less then 100 of my 4781 keys are ECDSA, and it would be very easy for me 
to remove no longer needed keys manually.

But, do you still recommend not to do so?
If not, when will these keys become purged automatically? 
Could be 10 years (lifetime of my KSKs)?

Thanks and regards,
Michael

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to