[Opendnssec-develop] Purge keys

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Aug 17 11:50:24 UTC 2010


On 16 aug 2010, at 11.59, Sion Lloyd wrote:

> If a key has been in the dead state for long enough on zone "A", but is yet to 
> be used by zone "B" on the policy, should we purge it?

If the key is yet to be used by zone "B" and we remove it, won't we just create a new key in the HSM to replace it? Thus not saving any space.

> My thought is that we should, because we are trying to save space on the HSM 
> and there must be enough keys without this one to keep zone "A" happy.

Would zone "B" be happy?

> Can anyone think of a use-case for purge where this would not be appropriate?

Keys should only be removed if they are completely dead.

// Rickard




More information about the Opendnssec-develop mailing list