[Opendnssec-develop] Key removal
John Dickinson
jad at jadickinson.co.uk
Thu Feb 19 12:41:07 UTC 2009
Stephen and I have been thinking about how the Enforcer should work.
Initially I was thinking that the Enforcer will tell the Signer Engine
which keys should be published in the zone and which should be used to
sign the zone. The Enforcer would make all the decisions about which
keys are in which states (generated, published, active, retired, dead
and no longer published). However, I am now wondering if the Enforcer
should only be concerned with the states from generated to retired and
that it should be up to the signer to decide when it is OK for a key
that is no longer used for new signing operations (but may have been
used to generate existing signatures) to be removed from the zone.
Thoughts?
John
---
John Dickinson
http://www.jadickinson.co.uk
More information about the Opendnssec-develop
mailing list