On 08.07.2013 17:53, Joe Abley wrote:
Hi Klaus,
On 2013-07-08, at 09:13, Klaus Darilion
<klaus.mailingli...@pernau.at> wrote:
I want to sign a certain zone multiple times: 1x the original zone
+ 1x a modified "backup" zone (change SOA serial and maybe some
other records)
CIRA's signing infrastructure with .CA provides some experience for a
somewhat similar setup. CIRA uses OpenDNSSEC to manage the key
policy, and the identities of the keys required to make signature are
extracted from the live policy in order to do their parallel signing
with BIND9 (they sign with multiple signers and compare the results
before publication).
So, they sign with ods-signer and additionally with the bind signing
tools? Or do they use only the bind signing tools?
You could do similar -- extract the key identities from ODS, modify
the unsigned zone automagically to your requirements and use the
BIND9 tools to sign it with the appropriate keys.
In addition to whatever risks you are mitigating by having the
standby signed zone ready for publication, this would also give you
an independent implementation (so, e.g., if there ever turns out to
be a problem in the ODS signer you have an independently-signed zone
to give you some extra comfort).
Indeed, but twice as much engineering work ;-)
btw: I just found pkcs11-proxy and some basic testing works fine. Does
anybody have practical experience with pkcs11-proxy?
regards
Klaus
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
