Purge keys implementation

On each keymgr run, we now also check if key files can be removed. The 'purge-keys' interval determines how long keys should be retained after they have become completely hidden. Key files should not be removed if it has a state that is set to something else then HIDDEN, if purge-keys is 0 (disabled), if the key goal is set to OMNIPRESENT, or if the key is unused (a key is unused if no timing metadata set, and no states are set or if set, they are set to HIDDEN). If the last changed timing metadata plus the purge-keys interval is in the past, the key files may be removed. Add a dst_key_t variable 'purge' to signal that the key file should not be written to file again.
2025-08-31 14:35:26 +00:00 · 2021-02-08 15:15:57 +01:00
parent 313de3a7e2
commit 8c526cb67f
3 changed files with 116 additions and 2 deletions
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1290,6 +1290,7 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 	dk->hint_remove = false;
 	dk->first_sign = false;
 	dk->is_active = false;
+	dk->purge = false;
 	dk->prepublish = 0;
 	dk->source = dns_keysource_unknown;
 	dk->index = 0;