On 5 maj 2010, at 11.26, Michael Braunoeder wrote: > I'm currently thinking about some DNSSEC key handling scenarios and howto > implement them with OpenDNSSEC. One of the scenarios is, to hold the KSK on a > smartcard, pre-generate the ZSKs for a period, lets say one year, and sign > the generated ZSKs with the KSK on the smartcard. > After the ZSK-generation, the KSK-smartcard is put into a safe and the daily > signing work (including the ZSK rollovers) is done only with the ZSKs and the > pregenerated signatures. > > Does OpenDNSSEC support such a scenario and how has the configuration look > like? If I understand it correctly, the configured HSMs in the OpenDNSSEC > configuration files have to be online all the time.
OpenDNSSEC does not currently support any type of offline HSM, sorry. > Are there any recommendations of such smartcard-HSMs? there are several smartcard HSMs that you can use with OpenDNSSEC today. I would start looking at the ones supported by OpenSC, see http://www.opensc-project.org/opensc/wiki/SupportedHardware for a list. jakob _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
