On Tue, 9 Jul 2013, Klaus Darilion wrote:
CIRA's signing infrastructure with .CA provides some experience for a
somewhat similar setup. CIRA uses OpenDNSSEC to manage the key
policy, and the identities of the keys required to make signature are
extracted from the live policy in order to do their parallel signing
with BIND9 (they sign with multiple signers and compare the results
before publication).
So, they sign with ods-signer and additionally with the bind signing tools?
Or do they use only the bind signing tools?
the unsigned zone is copied to both an opendnssec and a bind system.
Both systems sign using their own implementation. Only the keys are
synchonized between the two, that is ods-enforcerd determines when a
(ZSK) needs to roll.
Both are then fed through validators, including one that strips all
ephemeral data (timestamps etc) and checks if the zones are identical.
Paul
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
