Following my adventures upgrading a moderately neglected (but well
automated!) installation last month, I've been poking around the
filesystem looking for stale things that might come and bite me later.
I discovered that I have 10016 files in /var/db/softhsm, 5006 of which
are named *.object. This seems a little excessive for 22 zones with
fairly boring policies:
<Keys>
<TTL>PT86400S</TTL>
<RetireSafety>PT14400S</RetireSafety>
<PublishSafety>PT14400S</PublishSafety>
<Purge>P14D</Purge>
<KSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<ZSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
My enforcer setting is pretty boring too:
<AutomaticKeyGenerationPeriod>P14D</AutomaticKeyGenerationPeriod>
Digging a little deeper, I found this:
# sqlite3 /usr/local/var/opendnssec/kasp.db
sqlite> select count(*) from hsmKey;
3516
sqlite> select count(*) from hsmKey where algorithm != 13;
2106
This would suggest there are about 1500 keys known to softhsm2 that
aren't known to OpenDNSSEC. Moreover, there are 2106 RSA keys known to
OpenDNSSEC but not used by any zones (all my policies are ECC).
I suspect that these were pre-generated keys for long-gone zones.
Does anyone have any scripts to make more sense of what's in softhsm2
and in the OpenDNSSEC database?
Thanks!
Best wishes.
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
