On 12/01/2011 11:04 AM, Michael Braunoeder wrote: > Hi, > > I'm currently implementing a DNSSEC-Setup and I need some ideas how to > fix a specific problem. > > Our setup looks like this: > We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the > daily work. The DS-Record(s) for the KSK(s) are added to the parent > zone. To be prepared in cause of failures of these HSMs, we would like > to generate a key stored in a SoftHSM. The DNSKEY-Record of this key > should also be added to the signed zone (only the DNSKEY-Record, no > signatures with this key should be generated) and the corresponding > DS-Record to the parent zone. For security reasons this SoftHSM should > not be available on the server. In case of emergency, the SoftHSM is > copied to the server and a key rollover to this key should be done. > > How can I realize this setup with OpenDNSSEC? Is it possible to keep > this key in the "Publish" state until 1.1.2100 (or something like that)?
What I would do is to add the emergency DNSKEY as a normal RR in the plain zone, because OpenDNSSEC doesn't need to maintain its state as a key. Then, in case of a rollover, it should be a matter of adding a new keystore with SoftHSM. Just thinking, never tested. Hugo _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
