On 12/03/13 04:29, Klaus Darilion wrote: > Hi! Hi Klaus,
> > As an ODS newbie I try to understand the key usage of ODS in an existing > ODS deployment. "ods-hsmutil list" shows me plenty of keys. Some of > them are currently used, some of them are "removed", and some of them > will be used in the future. Unfortunately "ods-ksmutil key list -v" only > shows me the currently used keys. For clarity, ods-hsmutil and ods-ksmutil are two utilities for different purposes. ods-hsmutil interacts with your HSM, show you keys and their IDs (CKA_ID), you can do benchmarking, create keys, etc. ods-ksmutil is intended for querying the KASP (Key and Signing Policy) database, that contains the zones you are signing, which keys are being used for signing, the current status of the keys, etc. Effectively "ods-ksmutil key list -v" doesn't show the keys in GENERATE or DEAD state, there is a feature request for it (actually more than one) https://issues.opendnssec.org/browse/OPENDNSSEC-358 https://issues.opendnssec.org/browse/ODSTRACIMPORT-97 > > So, if I want to delete old keys from the HSM, who do I know which HSM > keys are deprecated? HSM doesn't know about deprecated or dead keys, is the KASP who knows that. You can use "ods-ksmutil key purge" to remove keys that are no longer needed > > Further, is there a way to find out how many of the HSM keys are > "Generated"? For example I want to know how long ODS can operate before > running out of keys (e.g. to be included into a monitoring system). Given it's not provided by ods-ksmutil yet, for our setup we wrote some Perl code that reads the KASP and gives you a number of "unallocated" keys per policy (given keys in the GENERATE state are not associated to a policy). The query is something like this: SELECT location, policy_id FROM keydata_view WHERE zone_id is NULL AND policy_id = ? AND securitymodule_id = ? AND size = ? AND algorithm = ? Bear in mind the query depends on the version of OpenDNSSEC you are using, if there are changes to the KASP, it could be invalidated. I hope it helps, Regards, > > Thanks > Klaus > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
