On 2021-07-09 15:55:25 (+0800), Berry van Halderen via Opendnssec-user
wrote:
On 2021-07-09 09:17, Philip Paeps via Opendnssec-user wrote:
Following my adventures upgrading a moderately neglected (but well
automated!) installation last month, I've been poking around the
filesystem looking for stale things that might come and bite me
later.
I discovered that I have 10016 files in /var/db/softhsm, 5006 of
which
are named *.object. This seems a little excessive for 22 zones with
fairly boring policies:
<Keys>
<TTL>PT86400S</TTL>
<RetireSafety>PT14400S</RetireSafety>
<PublishSafety>PT14400S</PublishSafety>
<Purge>P14D</Purge>
<KSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<ZSK>
<Algorithm length="256">13</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
My enforcer setting is pretty boring too:
<AutomaticKeyGenerationPeriod>P14D</AutomaticKeyGenerationPeriod>
This is probably due to a problem in OpenDNSSEC in versions
prior 2.1.8. This caused keys to be deleted from the listing
of keys, but not actively being removed from the HSM, as found by
Stefan Ubbink from SIDN. Since you have selected automatic
purging of keys this (upon upgrade to 2.1.9) should be done
automatically upon the next cycle of purging keys. You can
force this using "ods-enforcer purge -d".
I did some more digging and it looks like the keys are related to a
policy which no longer exists.
sqlite> select count(*) from hsmKey where policyId = 2;
3465
sqlite> select * from policy where id = 2;
sqlite> select * from zone where policyId = 2;
sqlite>
I'm not sure if that makes the problem better or worse. :-)
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
