[Opendnssec-develop] Key removal

Jakob Schlyter jakob at kirei.se
Thu Feb 19 12:58:42 UTC 2009

On 19 feb 2009, at 13.41, John Dickinson wrote:

> Stephen and I have been thinking about how the Enforcer should work.
> Initially I was thinking that the Enforcer will tell the Signer  
> Engine which keys should be published in the zone and which should  
> be used to sign the zone. The Enforcer would make all the decisions  
> about which keys are in which states (generated, published, active,  
> retired, dead and no longer published). However, I am now wondering  
> if the Enforcer should only be concerned with the states from  
> generated to retired and that it should be up to the signer to  
> decide when it is OK for a key that is no longer used for new  
> signing operations (but may have been used to generate existing  
> signatures) to be removed from the zone.

I would really like the enforcer to make all decisions regarding what  
keys are used for signing and publication, and that we can keep the  
signer stateless and "dumb".


More information about the Opendnssec-develop mailing list