Hi,
I'm currently implementing a DNSSEC-Setup and I need some ideas how to
fix a specific problem.
Our setup looks like this:
We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the
daily work. The DS-Record(s) for the KSK(s) are added to the parent
zone. To be prepared in cause of failures of these HSMs, we would like
to generate a key stored in a SoftHSM. The DNSKEY-Record of this key
should also be added to the signed zone (only the DNSKEY-Record, no
signatures with this key should be generated) and the corresponding
DS-Record to the parent zone. For security reasons this SoftHSM should
not be available on the server. In case of emergency, the SoftHSM is
copied to the server and a key rollover to this key should be done.
How can I realize this setup with OpenDNSSEC? Is it possible to keep
this key in the "Publish" state until 1.1.2100 (or something like that)?
Thanks in advance and best,
Michael
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
