Hi,
I'm currently thinking about some DNSSEC key handling scenarios and
howto implement them with OpenDNSSEC. One of the scenarios is, to hold
the KSK on a smartcard, pre-generate the ZSKs for a period, lets say one
year, and sign the generated ZSKs with the KSK on the smartcard.
After the ZSK-generation, the KSK-smartcard is put into a safe and the
daily signing work (including the ZSK rollovers) is done only with the
ZSKs and the pregenerated signatures.
Does OpenDNSSEC support such a scenario and how has the configuration
look like? If I understand it correctly, the configured HSMs in the
OpenDNSSEC configuration files have to be online all the time.
Are there any recommendations of such smartcard-HSMs?
Thank in advance and best regards,
Michael
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
