diff --git a/doc/operation.rst b/doc/operation.rst index 78bee0215..7bcc007d5 100644 --- a/doc/operation.rst +++ b/doc/operation.rst @@ -1430,6 +1430,47 @@ or ``knotc -f +keys +orphan zone-purge`` commands. Contents of the *"trash bin*" is not part of :ref:`online backup` and restore. +.. _Cleanup of removed legacy DNSSEC keys: + +Cleanup of removed legacy DNSSEC keys +===================================== + +In Knot DNS releases prior to XXXX, removed DNSSEC keys weren't moved to the "trash +bin", and with the exception of automatic rollover, they weren't deleted from the +keystore either -- as a safety measure. These legacy keys may be deleted using external +tools, like in the following example sequence of shell commands (for a PEM kesytore): + +.. CAUTION:: + If the keystore is shared with another application, care must be taken not to + delete keys used by that application. The example scripts below delete every keys + not used by the current Knot DNS configuration! + +.. code-block:: + + $ KEYSTORE=/var/lib/knot/keys/keys + $ knotc -b zone-freeze + $ keymgr -l | while read zone; do keymgr "${zone}" list; done | \ + sed 's@ .*$@.pem\$@' > ~/active_keys.pattern + $ find $KEYSTORE -maxdepth 1 -type f | grep -v -f ~/active_keys.pattern | xargs rm + $ knotc -b zone-thaw + +or for a PKCS #11 keystore (using the ``p11tool`` command from +`GnuTLS `_ suite): + +.. code-block:: + + $ MYTOKEN="pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=40a4f510030dbee6;token=knot" + $ MYPIN=1234 + $ knotc -b zone-freeze + $ keymgr -l | while read zone; do keymgr "${zone}" list; done | \ + sed 's@ .*$@@' > ~/active_keys + $ sed "s/../%&/g;s/[a-z]/\U&/g;s/^/id=/;s/$/\;/" < ~/active_keys > ~/active_keys.pattern + $ p11tool --login --set-pin $MYPIN --list-all-privkeys --only-urls $MYTOKEN | \ + grep -v -f ~/active_keys.pattern | \ + xargs -n 1 p11tool --login --set-pin $MYPIN --batch --delete | \ + grep -v -e "^$" -e "^[0-9]* objects deleted" + $ knotc -b zone-thaw + .. _Controlling a running daemon: Daemon controls