When Knot generates a key pair, it will save it in some directory in the
filesystem - in the clear, when using the default cryptographic provider,
or as an encrypted blob when using SoftHSM, or (possibly) a real HSM.
Imagine that I have a setup with many zones, with a signing policy that
causes them to be re-signed often - say, every hour or so. This implies
that new key pairs will be generated all the time.
My question is, how does Knot manage key pairs that it does not need any
more? It does not seem to remove them automatically. Does it provide any
mechanisms or tools to do so?