mirror of
https://gitlab.nic.cz/knot/knot-dns.git
synced 2026-06-09 00:22:42 -04:00
WIP doc/operation: describe cleanup of removed legacy DNSSEC keys
This commit is contained in:
David Vašek
parent
b66a054e52
commit
fade240f38
1 changed files with 41 additions and 0 deletions
|
|
@ -1430,6 +1430,47 @@ or ``knotc -f +keys +orphan zone-purge`` commands.
|
|||
Contents of the *"trash bin*" is not part of :ref:`online backup<Online backup>`
|
||||
and restore.
|
||||
|
||||
.. _Cleanup of removed legacy DNSSEC keys:
|
||||
|
||||
Cleanup of removed legacy DNSSEC keys
|
||||
=====================================
|
||||
|
||||
In Knot DNS releases prior to XXXX, removed DNSSEC keys weren't moved to the "trash
|
||||
bin", and with the exception of automatic rollover, they weren't deleted from the
|
||||
keystore either -- as a safety measure. These legacy keys may be deleted using external
|
||||
tools, like in the following example sequence of shell commands (for a PEM kesytore):
|
||||
|
||||
.. CAUTION::
|
||||
If the keystore is shared with another application, care must be taken not to
|
||||
delete keys used by that application. The example scripts below delete every keys
|
||||
not used by the current Knot DNS configuration!
|
||||
|
||||
.. code-block::
|
||||
|
||||
$ KEYSTORE=/var/lib/knot/keys/keys
|
||||
$ knotc -b zone-freeze
|
||||
$ keymgr -l | while read zone; do keymgr "${zone}" list; done | \
|
||||
sed 's@ .*$@.pem\$@' > ~/active_keys.pattern
|
||||
$ find $KEYSTORE -maxdepth 1 -type f | grep -v -f ~/active_keys.pattern | xargs rm
|
||||
$ knotc -b zone-thaw
|
||||
|
||||
or for a PKCS #11 keystore (using the ``p11tool`` command from
|
||||
`GnuTLS <https://www.gnutls.org/>`_ suite):
|
||||
|
||||
.. code-block::
|
||||
|
||||
$ MYTOKEN="pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=40a4f510030dbee6;token=knot"
|
||||
$ MYPIN=1234
|
||||
$ knotc -b zone-freeze
|
||||
$ keymgr -l | while read zone; do keymgr "${zone}" list; done | \
|
||||
sed 's@ .*$@@' > ~/active_keys
|
||||
$ sed "s/../%&/g;s/[a-z]/\U&/g;s/^/id=/;s/$/\;/" < ~/active_keys > ~/active_keys.pattern
|
||||
$ p11tool --login --set-pin $MYPIN --list-all-privkeys --only-urls $MYTOKEN | \
|
||||
grep -v -f ~/active_keys.pattern | \
|
||||
xargs -n 1 p11tool --login --set-pin $MYPIN --batch --delete | \
|
||||
grep -v -e "^$" -e "^[0-9]* objects deleted"
|
||||
$ knotc -b zone-thaw
|
||||
|
||||
.. _Controlling a running daemon:
|
||||
|
||||
Daemon controls
|
||||
|
|
|
|||
Loading…
Reference in a new issue