Hi Klaus, > On 16.07.2013 13:30, Gavin Brown wrote: >> Hi there, >> >> We are evaluating an HSM for use with OpenDNSSEC. The vendor has >> suggested that we consider manually generating all the keys we are >> likely to need up-front, so that we only ever need to do a single backup. >> >> We're using this command to generate the keys: >> >> ods-ksmutil key generate --policy default --interval [PERIOD] >> >> where [PERIOD] is: >> >> number of zones * expected life of the system > > IIRC it is not necessary to specify 1000 years. If you have configured > 100 zones using all the default policy, then it should be fine to just > specify 10Y as interval - ODS automatically detects that this policy is > used for 100 zones and automatically generates 100 times the required keys.
The system currently has no zones in it - it's completely fresh. We won't be adding zones until we know what they are, but the keys need to in place before the zones are added. G. -- Gavin Brown Chief Technology Officer CentralNic Ltd Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/ CentralNic Ltd is a company registered in England and Wales with company number 4985780. Registered Offices: 35-39 Moorgate, London, EC2R 6AR. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
