[Opendnssec-user] Removing old keys and policies

Discussion:

Julian Brost

2017-08-19 15:07:54 UTC

Hi,

I'm currently running OpenDNSSEC 2.1.3 and after some experimenting, I
now want to remove some old policies and keys. Some of the testing has
already been done using version 1.4 or 2.0 and the installation was
upgraded.

When I try to remove the old policy "lab2", I get this error:

# ods-enforcer policy import -r
[...]
Unable to delete policy lab2, there are still hsm keys using this policy!

However, there is no zone left using that policy and trying to purge its
keys doesn't succeed either:

# ods-enforcer key purge -p lab2
No zones on policy lab2
No keys to purge

What's the best way to proceed in this situation? Are there any tools
that can help me? Is it safe to manually remove keys from the table
"hsmKey" in the database after stopping OpenDNSSEC?

Regards,
Julian

Hoda Rohani

2017-08-21 07:37:19 UTC

Permalink

Hello,

Post by Julian Brost
Hi,
I'm currently running OpenDNSSEC 2.1.3 and after some experimenting, I
now want to remove some old policies and keys. Some of the testing has
already been done using version 1.4 or 2.0 and the installation was
upgraded.
# ods-enforcer policy import -r
[...]
Unable to delete policy lab2, there are still hsm keys using this policy!
However, there is no zone left using that policy and trying to purge its
# ods-enforcer key purge -p lab2
No zones on policy lab2
No keys to purge

Didn't expect that.

Post by Julian Brost
What's the best way to proceed in this situation? Are there any tools
that can help me? Is it safe to manually remove keys from the table
"hsmKey" in the database after stopping OpenDNSSEC?

I'd like to see your database. Is it possible to send it privately to me?

Post by Julian Brost
Regards,
Julian

Best regards,
Hoda Rohani

Post by Julian Brost
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Julian Brost

2017-08-21 10:33:32 UTC

Permalink

Post by Hoda Rohani
Hello,

Didn't expect that.

I think these keys are somehow left over from my experiments with
SoftHSM v2 where I at some point deleted all test zones using that repo
and wiped the SoftHSM v2 store.

Post by Hoda Rohani

I'd like to see your database. Is it possible to send it privately to me?

Sure, you'll receive another mail in a few moments.

Regards,
Julian

Julian Brost

2017-08-22 13:27:23 UTC

Permalink

Hi,

(follow-up on the public list, could also be of interest to others)

ods-enforcer policy purge
Purging policies
[...]

Yes, that command indeed works. Somehow I must have missed that command.

Please let me know if you still have problem.

The table hsmKey still contains lots of keys that now no longer
reference a policy and neither exist in SoftHSM any more. Is that
supposed to happen?

Thanks for your help!

Regards,
Julian

Hoda Rohani

2017-08-22 15:41:03 UTC

Permalink

Hello,

Post by Julian Brost
Hi,
(follow-up on the public list, could also be of interest to others)

ods-enforcer policy purge
Purging policies
[...]

Yes, that command indeed works. Somehow I must have missed that command.

Please let me know if you still have problem.

The table hsmKey still contains lots of keys that now no longer
reference a policy and neither exist in SoftHSM any more. Is that
supposed to happen?

Unfortunately there is no way to get rid of those keys except manually removing them from database.

I personally think it would be better to have a command to remove those keys from hsmkey table. I will talk about this
with other people.

Post by Julian Brost
Thanks for your help!
Regards,
Julian

Regards,
Hoda Rohani