Discussion:
[Opendnssec-user] Remove keys not in repository
Arun Natarajan
2017-06-11 09:05:16 UTC
Permalink
Hello,

I accidentally ended up in a state which - the key with CKA_ID
"fc1c149afbf4c8996fb92427" is not existing on SoftHSM.

example.com ZSK active 2017-12-15
14:35:15 (retire) 2048 8 fc1c149afbf4c8996fb92427 SoftHSM_1
NOT IN repository
example.com KSK ready waiting for
ds-seen (active) 2048 8 fc1c149afbf4c8996fb92427 SoftHSM_2
NOT IN repository

But ods put those keys in active state for ZSK and ready state (ds-seen)
for KSK. Basically I cannot just delete the keys from ODS.

"The enforcer believes that this key is in use, quitting..."

With a roll over the ZSK is fine, it published a new key, but for KSK
ds-seen or roll over does not help.

- ds-seen
"
cka_id fc1c149afbf4c8996fb92427 in DB but NOT IN repository
No keys in the READY state matched your parameters, please check the
parameters
"

appreciate any advice, to get rid of the non-hsm KSK CKA_ID?

-
Thanks
Arun
Yuri Schaeffer
2017-06-11 19:28:54 UTC
Permalink
Hi Arun,

What version of OpenDNSSEC are you using?

//Yuri
Post by Arun Natarajan
Hello,
I accidentally ended up in a state which - the key with CKA_ID
"fc1c149afbf4c8996fb92427" is not existing on SoftHSM.
example.com <http://example.com> ZSK
active 2017-12-15 14:35:15 (retire) 2048 8
fc1c149afbf4c8996fb92427 SoftHSM_1 NOT IN repository
example.com <http://example.com> KSK
ready waiting for ds-seen (active) 2048 8
fc1c149afbf4c8996fb92427 SoftHSM_2 NOT IN repository
But ods put those keys in active state for ZSK and ready state
(ds-seen) for KSK. Basically I cannot just delete the keys from ODS.
"The enforcer believes that this key is in use, quitting..."
With a roll over the ZSK is fine, it published a new key, but for KSK
ds-seen or roll over does not help.
- ds-seen
"
cka_id fc1c149afbf4c8996fb92427 in DB but NOT IN repository
No keys in the READY state matched your parameters, please check the
parameters
"
appreciate any advice, to get rid of the non-hsm KSK CKA_ID?
-
Thanks
Arun
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Arun Natarajan
2017-06-11 22:59:05 UTC
Permalink
Hi Yuri,

ODS version 1.4.12 (LTS).

--
arun
Post by Yuri Schaeffer
Hi Arun,
What version of OpenDNSSEC are you using?
//Yuri
Post by Arun Natarajan
Hello,
I accidentally ended up in a state which - the key with CKA_ID
"fc1c149afbf4c8996fb92427" is not existing on SoftHSM.
example.com <http://example.com> ZSK
active 2017-12-15 14:35:15 (retire) 2048 8
fc1c149afbf4c8996fb92427 SoftHSM_1 NOT IN repository
example.com <http://example.com> KSK
ready waiting for ds-seen (active) 2048 8
fc1c149afbf4c8996fb92427 SoftHSM_2 NOT IN repository
But ods put those keys in active state for ZSK and ready state
(ds-seen) for KSK. Basically I cannot just delete the keys from ODS.
"The enforcer believes that this key is in use, quitting..."
With a roll over the ZSK is fine, it published a new key, but for KSK
ds-seen or roll over does not help.
- ds-seen
"
cka_id fc1c149afbf4c8996fb92427 in DB but NOT IN repository
No keys in the READY state matched your parameters, please check the
parameters
"
appreciate any advice, to get rid of the non-hsm KSK CKA_ID?
-
Thanks
Arun
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Yuri Schaeffer
2017-06-12 08:22:41 UTC
Permalink
Hi Arun,
Post by Arun Natarajan
appreciate any advice, to get rid of the non-hsm KSK CKA_ID?
ods-ksmutil key delete --cka_id fc1c149afbf4c8996fb92427 --no-hsm

Might have OpenDNSSEC skip the 'in use' check.

Please let me know if that works,
Yuri
Arun Natarajan
2017-06-12 09:27:14 UTC
Permalink
Hi Yuri,
Post by Yuri Schaeffer
ods-ksmutil key delete --cka_id fc1c149afbf4c8996fb92427 --no-hsm
Might have OpenDNSSEC skip the 'in use' check.
I tried this actually but,
"The enforcer believes that this key is in use, quitting..."

--
arun
Post by Yuri Schaeffer
Please let me know if that works,
Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Yuri Schaeffer
2017-06-12 09:36:27 UTC
Permalink
Post by Arun Natarajan
I tried this actually but,
"The enforcer believes that this key is in use, quitting..."
try adding --force
It isn't documented in the output of ksmutil help but looking at the
code it should accept this flag.

//Yuri
Arun Natarajan
2017-06-12 10:33:55 UTC
Permalink
Great, that works!

thanks again :)

Regards,
arun
Post by Yuri Schaeffer
Post by Arun Natarajan
I tried this actually but,
"The enforcer believes that this key is in use, quitting..."
try adding --force
It isn't documented in the output of ksmutil help but looking at the
code it should accept this flag.
//Yuri
Loading...