[Opendnssec-user] Old policies in database

Siôn Lloyd sion at nominet.org.uk
Fri Nov 18 10:25:38 UTC 2011

On 18/11/11 09:26, Casper Gielen wrote:
> Hello,
> I just discovered that there are a number of old policies in the database that are no longer in kasp.xml:
> # grep name /etc/opendnssec/kasp.xml
>          <Policy name="uvtonly">
>          <Policy name="fulldnssec">
>          <Policy name="testshort">
> # ods-ksmutil policy list
> Policies:
> Name:           Description:
> default         A default ...
> fulldnssec      Policy voor ....
> nostandby       Policy without...
> nostandbykeys   Policy without...
> testshort       Test policy for ....
> uvtonly         Zones that ...

Yes, although unused policies are largely ignored (they will generate 
the odd line in the log file) they will not automatically be deleted 
from the database.

There is a command:

ods-ksmutil policy purge

which removes policies that have no zones on them. Two things to note 

1) This function is described as experimental as it doesn't get regular 
use, so I would strongly advise backing up your database and kasp.xml 
before running it.
2) It might rely on kasp.xml matching the database, so you may need to 
add at least:

<Policy name="default"></Policy>

for it to work.


More information about the Opendnssec-user mailing list