Hi Rick, On 2010-07-28, at 3:00 AM, Rick van Rein wrote:
> Hi Dave, > >> If I remove one from that file, then run `ksm update all`, it isn't actually >> removed and now I have inconsistency between the file and the db. While >> there is a `ksm zone delete` command there is no corresponding `ksm policy >> delete`. > > The idea behind this is that removal of a policy is almost certainly a > mistake. For that reason, it is not removed from the database. It does > not matter much, except that it does mean that keys are kept around. > > We use OpenDNSSEC with a dynamic set of policies, and have therefore > proposed a patch to add a "policy prune" command to ksm. This removes > any policy that has no zone attached, and will also cleanup its keys. > We are currently proposing this patch for inclusion in future versions > of OpenDNSSEC -- probably in 1.2. I'm trying to get rid of policies which have no associated zones, but probably have never-will-be-used keys hanging around, so this sounds pretty much exactly like what I want :) > We are doing 1.2'ish things, namely registrar functions, and needed to > setup key sharing among customers. Each customer has its own shared key > set, and that implies that each customer must have its own policy. When > customers disappear, their policies and keys must also be dropped. My setup is not on a big scale, in total it will ultimately handle under a hundred zones, but I do have a need for different policies, some zones need nsec3, some may use shared keys. I like to be able to try stuff out and then definitively clean up after myself. >> Am I doing something wrong? Is this better in a newer release? > > Not likely before 1.2, unless you'd apply our patch to 1.1.1: > > http://trac.opendnssec.org/attachment/ticket/151/opendnssec-1.1.1-policy-prune.patch > > What is your use case for wanting to drop policies? While trying things out I have created a few test policies which I now want to get rid of. I don't see an ongoing need for this as really trying stuff out ought to be happening in a lab environment where I can blow away the whole config and start over. dave_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
