[Opendnssec-develop] Key removal

Rickard Bondesson rickard.bondesson at iis.se
Thu Feb 19 13:01:30 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Thoughts?
> John

I think it should be the KASP Enforcer that removes the keys (from the HSM). It is the one that keeps track of the key states. If it knows that a key is no longer published, then Signer Engine should not use it for signing or having the DNSKEY in the zone. Thus would it not be a problem for the Enforcer to remove the key. If this is not true then the knowledge of the key is incorrect, thus would the Enforcer not fulfil its purpose.

The KASP Enforcer knows about the past, future, and present. Whilst the Signer Engine only knows what the Enforcer is saying to it.

If a key is to be removed from a token that is not present, then an operator must be called upon. That is the job of the Enforcer, not the Signer Engine.

Just my thoughts…

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSZ1YKuCjgaNTdVjaAQgzVgf+IgLQNIw96A8H2OP9sghYbCZCfg36V6M/
s2MY+27xlxLlvADvLfn0D6JC1Cnpy3P2PLy0t+yQM8MVbYXa9VwQ6TXAsyknAm9w
W14Kwk2nBNa2ucWgvWOi06j4doGLriu3svDH8AJiuhGFY/PKf86MQUuNrCEBAibk
g1/QUX6VXaV+7u51Qjx9VXp1ocRpqHVW3HNHTI18/VMsHgVFXMA8jaYffJnNsG0M
UCXRHATg+PPoo7EmXAqqkFbrRTCv0uZJjORz28gNBHEmuscc/jH2Tbpa2URlVXOq
BLf74A3xtmGMCWhrwVfcTOK6x1bkdZQ8zU7qx5hI0fY6+CQmFcthBA==
=tS3Z
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list