[Opendnssec-develop] Key removal
rickard.bondesson at iis.se
Thu Feb 19 13:01:30 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
I think it should be the KASP Enforcer that removes the keys (from the HSM). It is the one that keeps track of the key states. If it knows that a key is no longer published, then Signer Engine should not use it for signing or having the DNSKEY in the zone. Thus would it not be a problem for the Enforcer to remove the key. If this is not true then the knowledge of the key is incorrect, thus would the Enforcer not fulfil its purpose.
The KASP Enforcer knows about the past, future, and present. Whilst the Signer Engine only knows what the Enforcer is saying to it.
If a key is to be removed from a token that is not present, then an operator must be called upon. That is the job of the Enforcer, not the Signer Engine.
Just my thoughts…
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop