[Opendnssec-develop] Unused policies

sion at nominet.org.uk sion at nominet.org.uk
Wed Jan 27 13:07:38 UTC 2010


> Hey all,
>
> When you have several policies in your kasp.xml and not using the
> ‘default’ policy in any of the zones in the zonelist, what happens
> with these unused policies, including the default? I keep getting
> warnings and messages about the default policy at every resign even
> though I’m not using it. I would assume it’s not logical to be
> checking all (unused) policies during a resign of one specific
> policy. Slows things down.

Just to clarify, this will be happening when the enforcer runs, not on
resigning.

> In my case I kept getting messages about a full repository, even
> though I’m not even using that repo.

We have a story (in the icebox at the moment) about removing policies
completely. If I also add a story about not checking repo capacity if no
keys need to be generated then I think that we are covered?

You can minimise the amount of work done for an unused policy by setting
the ManualKeyGeneration tag; which I appreciate is not a long term
solution.

Sion


More information about the Opendnssec-develop mailing list