On 2021-07-09 15:55:25 (+0800), Berry van Halderen via Opendnssec-user wrote: > On 2021-07-09 09:17, Philip Paeps via Opendnssec-user wrote: >> Following my adventures upgrading a moderately neglected (but well >> automated!) installation last month, I've been poking around the >> filesystem looking for stale things that might come and bite me later. >> >> I discovered that I have 10016 files in /var/db/softhsm, 5006 of which >> are named *.object. This seems a little excessive for 22 zones with >> fairly boring policies: >> >> <Keys> >> <TTL>PT86400S</TTL> >> <RetireSafety>PT14400S</RetireSafety> >> <PublishSafety>PT14400S</PublishSafety> >> <Purge>P14D</Purge> >> <KSK> >> <Algorithm length="256">13</Algorithm> >> <Lifetime>P1Y</Lifetime> >> <Repository>SoftHSM</Repository> >> </KSK> >> <ZSK> >> <Algorithm length="256">13</Algorithm> >> <Lifetime>P90D</Lifetime> >> <Repository>SoftHSM</Repository> >> </ZSK> >> </Keys> >> >> My enforcer setting is pretty boring too: >> >> <AutomaticKeyGenerationPeriod>P14D</AutomaticKeyGenerationPeriod> >> > > This is probably due to a problem in OpenDNSSEC in versions > prior 2.1.8. This caused keys to be deleted from the listing > of keys, but not actively being removed from the HSM, as found by > Stefan Ubbink from SIDN. Since you have selected automatic > purging of keys this (upon upgrade to 2.1.9) should be done > automatically upon the next cycle of purging keys. You can > force this using "ods-enforcer purge -d".
I should have mentioned that I did that first. :-) A 'ods-enforcer key purge -d' removed 576 keys. Definitely an improvement! Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
