[Opendnssec-develop] Key removal
matthijs at NLnetLabs.nl
Thu Feb 19 12:59:16 UTC 2009
Imo, the *decisions* whether to use a key for signing and publishing
should not be the task of the Signer Engine. So I would say: No, this
intelligence should stay in the Enforcer.
John Dickinson wrote:
> Stephen and I have been thinking about how the Enforcer should work.
> Initially I was thinking that the Enforcer will tell the Signer Engine
> which keys should be published in the zone and which should be used to
> sign the zone. The Enforcer would make all the decisions about which
> keys are in which states (generated, published, active, retired, dead
> and no longer published). However, I am now wondering if the Enforcer
> should only be concerned with the states from generated to retired and
> that it should be up to the signer to decide when it is OK for a key
> that is no longer used for new signing operations (but may have been
> used to generate existing signatures) to be removed from the zone.
> John Dickinson
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 544 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-develop