[Opendnssec-user] Managing KASP policies
Dave Knight
dave at knig.ht
Thu Jul 29 15:32:11 UTC 2010
Hi Rick,
On 2010-07-28, at 3:00 AM, Rick van Rein wrote:
> Hi Dave,
>
>> If I remove one from that file, then run `ksm update all`, it isn't actually removed and now I have inconsistency between the file and the db. While there is a `ksm zone delete` command there is no corresponding `ksm policy delete`.
>
> The idea behind this is that removal of a policy is almost certainly a
> mistake. For that reason, it is not removed from the database. It does
> not matter much, except that it does mean that keys are kept around.
>
> We use OpenDNSSEC with a dynamic set of policies, and have therefore
> proposed a patch to add a "policy prune" command to ksm. This removes
> any policy that has no zone attached, and will also cleanup its keys.
> We are currently proposing this patch for inclusion in future versions
> of OpenDNSSEC -- probably in 1.2.
I'm trying to get rid of policies which have no associated zones, but probably have never-will-be-used keys hanging around, so this sounds pretty much exactly like what I want :)
> We are doing 1.2'ish things, namely registrar functions, and needed to
> setup key sharing among customers. Each customer has its own shared key
> set, and that implies that each customer must have its own policy. When
> customers disappear, their policies and keys must also be dropped.
My setup is not on a big scale, in total it will ultimately handle under a hundred zones, but I do have a need for different policies, some zones need nsec3, some may use shared keys. I like to be able to try stuff out and then definitively clean up after myself.
>> Am I doing something wrong? Is this better in a newer release?
>
> Not likely before 1.2, unless you'd apply our patch to 1.1.1:
>
> http://trac.opendnssec.org/attachment/ticket/151/opendnssec-1.1.1-policy-prune.patch
>
> What is your use case for wanting to drop policies?
While trying things out I have created a few test policies which I now want to get rid of. I don't see an ongoing need for this as really trying stuff out ought to be happening in a lab environment where I can blow away the whole config and start over.
dave
More information about the Opendnssec-user
mailing list