[Opendnssec-develop] Key removal

John Dickinson jad at jadickinson.co.uk
Thu Feb 19 12:41:07 UTC 2009

Stephen and I have been thinking about how the Enforcer should work.

Initially I was thinking that the Enforcer will tell the Signer Engine  
which keys should be published in the zone and which should be used to  
sign the zone. The Enforcer would make all the decisions about which  
keys are in which states (generated, published, active, retired, dead  
and no longer published). However, I am now wondering if the Enforcer  
should only be concerned with the states from generated to retired and  
that it should be up to the signer to decide when it is OK for a key  
that is no longer used for new signing operations (but may have been  
used to generate existing signatures) to be removed from the zone.

John Dickinson

More information about the Opendnssec-develop mailing list