[Opendnssec-develop] delete keys

Rickard Bellgrim rickard at opendnssec.org
Thu Jan 5 08:55:20 UTC 2012


>>> One question is whether we should remove documentation for the --force
>>> flag;
>>> or if we should remove that functionality completely? Currently, if the
>>> key
>>> is not in the generate or dead state then the script exits... unless the
>>> --force flag is provided, in which case they are asked if they really
>>> want
>>> to continue.
>>
>> Is there a use case for having the --force flag?
>>
>
> Test environments maybe?
>
> Published keys that have not become active (maybe if you lose access to them
> or want to increase the key length?)
>
> If you have multiple active keys in parallel?

It sounds like it would be ok to have the --force flag in the code.
But with the risk that they will break DNSSEC if they do not know what
they are doing.



More information about the Opendnssec-develop mailing list