[Opendnssec-user] Managing KASP policies

Rick van Rein rick at openfortress.nl
Wed Jul 28 07:00:30 UTC 2010

Hi Dave,

> If I remove one from that file, then run `ksm update all`, it isn't actually removed and now I have inconsistency between the file and the db. While there is a `ksm zone delete` command there is no corresponding `ksm policy delete`. 

The idea behind this is that removal of a policy is almost certainly a
mistake.  For that reason, it is not removed from the database.  It does
not matter much, except that it does mean that keys are kept around.

We use OpenDNSSEC with a dynamic set of policies, and have therefore
proposed a patch to add a "policy prune" command to ksm.  This removes
any policy that has no zone attached, and will also cleanup its keys.
We are currently proposing this patch for inclusion in future versions
of OpenDNSSEC -- probably in 1.2.

We are doing 1.2'ish things, namely registrar functions, and needed to
setup key sharing among customers.  Each customer has its own shared key
set, and that implies that each customer must have its own policy.  When
customers disappear, their policies and keys must also be dropped.

> Am I doing something wrong? Is this better in a newer release?

Not likely before 1.2, unless you'd apply our patch to 1.1.1:


What is your use case for wanting to drop policies?


More information about the Opendnssec-user mailing list