[Opendnssec-develop] [OpenDNSSEC] #244: Feature request: add 'delete keys' option to ods-ksmutil
OpenDNSSEC
owner-dnssec-trac at kirei.se
Wed Jun 15 01:50:32 UTC 2011
#244: Feature request: add 'delete keys' option to ods-ksmutil
-----------------------------------------------------+----------------------
Reporter: Sebastian Castro <sebastian@…> | Owner: sion
Type: enhancement | Status: new
Priority: minor | Component: Enforcer
Version: trunk | Keywords:
-----------------------------------------------------+----------------------
We came across a use case for deleting keys from the HSM/KASP.
During testing we created a few keys with ods-ksmutil, which later were
deleted using ods-hsmutil. The problem is those keys who have never been
used left a trace on the KASP, and there is no way (unless to hack into
the KASP) to delete those traces.
Let's assume that an operator has a policy with keys of certain size, and
pre-generates a pool of keys for a long period. If at some point during
that period they need to change the key size of the policy, and generate
new keys, they will end up with a few unused keys who will sit-up forever
in the HSM and the KASP. Those keys won't be deleted by "purge", because
they are not in DEAD state.
The proposed interface for the command could be
ods-ksmutil key delete --cka_id LOCATOR [--force]
If the key is in the GENERATE state, could be deleted without any side
effect.
If the key is in any other state, the key won't be deleted and the command
will complain. That behavior can be overridden by the --force option.
--
Ticket URL: <http://trac.opendnssec.org/ticket/244>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list