Hi Dave, > If I remove one from that file, then run `ksm update all`, it isn't actually > removed and now I have inconsistency between the file and the db. While there > is a `ksm zone delete` command there is no corresponding `ksm policy delete`.
The idea behind this is that removal of a policy is almost certainly a mistake. For that reason, it is not removed from the database. It does not matter much, except that it does mean that keys are kept around. We use OpenDNSSEC with a dynamic set of policies, and have therefore proposed a patch to add a "policy prune" command to ksm. This removes any policy that has no zone attached, and will also cleanup its keys. We are currently proposing this patch for inclusion in future versions of OpenDNSSEC -- probably in 1.2. We are doing 1.2'ish things, namely registrar functions, and needed to setup key sharing among customers. Each customer has its own shared key set, and that implies that each customer must have its own policy. When customers disappear, their policies and keys must also be dropped. > Am I doing something wrong? Is this better in a newer release? Not likely before 1.2, unless you'd apply our patch to 1.1.1: http://trac.opendnssec.org/attachment/ticket/151/opendnssec-1.1.1-policy-prune.patch What is your use case for wanting to drop policies? Cheers, -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
