[Opendnssec-develop] Key removal

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Feb 19 12:59:16 UTC 2009

Imo, the *decisions* whether to use a key for signing and publishing
should not be the task of the Signer Engine. So I would say: No, this
intelligence should stay in the Enforcer.


John Dickinson wrote:
> Stephen and I have been thinking about how the Enforcer should work.
> Initially I was thinking that the Enforcer will tell the Signer Engine
> which keys should be published in the zone and which should be used to
> sign the zone. The Enforcer would make all the decisions about which
> keys are in which states (generated, published, active, retired, dead
> and no longer published). However, I am now wondering if the Enforcer
> should only be concerned with the states from generated to retired and
> that it should be up to the signer to decide when it is OK for a key
> that is no longer used for new signing operations (but may have been
> used to generate existing signatures) to be removed from the zone.
> Thoughts?
> John
> ---
> John Dickinson
> http://www.jadickinson.co.uk
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090219/dcf2bfa9/attachment.bin>

More information about the Opendnssec-develop mailing list