[Opendnssec-user] Managing KASP policies

Dave Knight dave at knig.ht
Thu Jul 29 15:32:11 UTC 2010

Hi Rick,

On 2010-07-28, at 3:00 AM, Rick van Rein wrote:

> Hi Dave,
>> If I remove one from that file, then run `ksm update all`, it isn't actually removed and now I have inconsistency between the file and the db. While there is a `ksm zone delete` command there is no corresponding `ksm policy delete`. 
> The idea behind this is that removal of a policy is almost certainly a
> mistake.  For that reason, it is not removed from the database.  It does
> not matter much, except that it does mean that keys are kept around.
> We use OpenDNSSEC with a dynamic set of policies, and have therefore
> proposed a patch to add a "policy prune" command to ksm.  This removes
> any policy that has no zone attached, and will also cleanup its keys.
> We are currently proposing this patch for inclusion in future versions
> of OpenDNSSEC -- probably in 1.2.

I'm trying to get rid of policies which have no associated zones, but probably have never-will-be-used keys hanging around, so this sounds pretty much exactly like what I want :)

> We are doing 1.2'ish things, namely registrar functions, and needed to
> setup key sharing among customers.  Each customer has its own shared key
> set, and that implies that each customer must have its own policy.  When
> customers disappear, their policies and keys must also be dropped.

My setup is not on a big scale, in total it will ultimately handle under a hundred zones, but I do have a need for different policies, some zones need nsec3, some may use shared keys. I like to be able to try stuff out and then definitively clean up after myself. 

>> Am I doing something wrong? Is this better in a newer release?
> Not likely before 1.2, unless you'd apply our patch to 1.1.1:
> http://trac.opendnssec.org/attachment/ticket/151/opendnssec-1.1.1-policy-prune.patch
> What is your use case for wanting to drop policies?

While trying things out I have created a few test policies which I now want to get rid of. I don't see an ongoing need for this as really trying stuff out ought to be happening in a lab environment where I can blow away the whole config and start over. 


More information about the Opendnssec-user mailing list