DNSSEC, purge old unused keys
Currently, old keys are not removed from the zone configuration during rollovers.
Old keys can be purged when new the rollover is finished.
Activity
This seems like a good thing to add – I was going to suggest it myself. I'd propose adding another timer parameter to the KASP-DB for the final deletion of an old key, perhaps with a default setting of some fixed time after the 'remove' parameter.
Edited by Matthew PounsettI was thinking about three possible approaches:
- We can remove the keys immediately when they are retired (sounds dangerous).
- We can add a timer to remove the keys that has been retired for some period of time (as proposed by Matthew).
- Or we can preserver some amount of retired keys.
I'm not sure what's best.
Edited by Jan VčelákReassigned to @fsiroky
Mentioned in merge request !595 (merged)
Mentioned in merge request !597 (merged)
closed via commit 7fa8ad0b
closed via merge request !597 (merged)
mentioned in commit 7fa8ad0b
Please register or sign in to reply