[Opendnssec-develop] Purge keys
Sion Lloyd
sion at nominet.org.uk
Tue Aug 17 12:49:58 UTC 2010
On Tuesday 17 Aug 2010 12:50:24 pm Rickard Bellgrim wrote:
> On 16 aug 2010, at 11.59, Sion Lloyd wrote:
> > If a key has been in the dead state for long enough on zone "A", but is
> > yet to be used by zone "B" on the policy, should we purge it?
>
> If the key is yet to be used by zone "B" and we remove it, won't we just
> create a new key in the HSM to replace it? Thus not saving any space.
If it has moved into the dead state on zone A a new key must have been created
to satisfy the policy for zone A.
> > My thought is that we should, because we are trying to save space on the
> > HSM and there must be enough keys without this one to keep zone "A"
> > happy.
>
> Would zone "B" be happy?
Yes. It would never see this particular key, but that should not be an issue.
I think that I will leave it as it is currently, where a key will only be
purged if all of its instances are in the dead state. This is the easiest
thing to do and can always be revisited later.
Sion
More information about the Opendnssec-develop
mailing list