Am 01.12.2011 15:30, schrieb Hugo Salgado:
On 12/01/2011 11:04 AM, Michael Braunoeder wrote:
Hi,
I'm currently implementing a DNSSEC-Setup and I need some ideas how to
fix a specific problem.
Our setup looks like this:
We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the
daily work. The DS-Record(s) for the KSK(s) are added to the parent
zone. To be prepared in cause of failures of these HSMs, we would like
to generate a key stored in a SoftHSM. The DNSKEY-Record of this key
should also be added to the signed zone (only the DNSKEY-Record, no
signatures with this key should be generated) and the corresponding
DS-Record to the parent zone. For security reasons this SoftHSM should
not be available on the server. In case of emergency, the SoftHSM is
copied to the server and a key rollover to this key should be done.
How can I realize this setup with OpenDNSSEC? Is it possible to keep
this key in the "Publish" state until 1.1.2100 (or something like that)?
What I would do is to add the emergency DNSKEY as a normal RR in the
plain zone, because OpenDNSSEC doesn't need to maintain its state as a
key.
Then, in case of a rollover, it should be a matter of adding a new
keystore with SoftHSM.
If it would be that easy, this would be great :-)
Just thinking, never tested.
IIRC I tested it some time ago (with one of the first OpenDNSSEC beta
versions) and I got an error. But I'll test it again.
Best,
Michael
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
