On 2021-07-09 09:17, Philip Paeps via Opendnssec-user wrote:
Following my adventures upgrading a moderately neglected (but well automated!) installation last month, I've been poking around the filesystem looking for stale things that might come and bite me later.I discovered that I have 10016 files in /var/db/softhsm, 5006 of which are named *.object. This seems a little excessive for 22 zones with fairly boring policies: <Keys> <TTL>PT86400S</TTL> <RetireSafety>PT14400S</RetireSafety> <PublishSafety>PT14400S</PublishSafety> <Purge>P14D</Purge> <KSK> <Algorithm length="256">13</Algorithm> <Lifetime>P1Y</Lifetime> <Repository>SoftHSM</Repository> </KSK> <ZSK> <Algorithm length="256">13</Algorithm> <Lifetime>P90D</Lifetime> <Repository>SoftHSM</Repository> </ZSK> </Keys> My enforcer setting is pretty boring too: <AutomaticKeyGenerationPeriod>P14D</AutomaticKeyGenerationPeriod>
This is probably due to a problem in OpenDNSSEC in versions prior 2.1.8. This caused keys to be deleted from the listing of keys, but not actively being removed from the HSM, as found by Stefan Ubbink from SIDN. Since you have selected automatic purging of keys this (upon upgrade to 2.1.9) should be done automatically upon the next cycle of purging keys. You can force this using "ods-enforcer purge -d". \Berry _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
