-
Type:
New Feature
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: OpenDNSSEC 2.0
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
Hello,
Attached is a patch against OpenDNSSEC 1.1.1 that we would like to propose for inclusion. It adds a "policy prune" command to ksmutil, and when running that it will remove all policies not referenced by a zone anymore. While doing this, it will also remove keys from the database and from the HSM.
This is useful for our 1.2-ish use of OpenDNSSEC, where we generate policies for each of our customers; we use that because we share keys within each policy. Sharing keys and removing unused ones avoids that we run into the limited number of licensed objects of our HSM.
We have been using the code as its own documentation, so Sion: please check the code for oversights. We hope to have followed the spirit of the current code to make it mingle with the rest. And if you like it, could you please check it in so we can have it in 1.1.2?
Thanks!
Rick van Rein
for SURFnet