[Opendnssec-develop] [OpenDNSSEC] #151: Patch: Pruning unused policies and associated keys

OpenDNSSEC owner-dnssec-trac at kirei.se
Thu Jul 15 13:23:20 UTC 2010

#151: Patch: Pruning unused policies and associated keys
Reporter:  vanrein      |       Owner:  sion    
    Type:  enhancement  |      Status:  new     
Priority:  major        |   Component:  Enforcer
 Version:  trunk        |    Keywords:          

 Attached is a patch against OpenDNSSEC 1.1.1 that we would like to propose
 for inclusion.  It adds a "policy prune" command to ksmutil, and when
 running that it will remove all policies not referenced by a zone anymore.
 While doing this, it will also remove keys from the database and from the

 This is useful for our 1.2-ish use of OpenDNSSEC, where we generate
 policies for each of our customers; we use that because we share keys
 within each policy.  Sharing keys and removing unused ones avoids that we
 run into the limited number of licensed objects of our HSM.

 We have been using the code as its own documentation, so Sion: please
 check the code for oversights.  We hope to have followed the spirit of the
 current code to make it mingle with the rest.  And if you like it, could
 you please check it in so we can have it in 1.1.2?


 Rick van Rein
 for SURFnet

Ticket URL: <http://trac.opendnssec.org/ticket/151>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list