>>>> We are evaluating an HSM for use with OpenDNSSEC. The vendor has >>>> suggested that we consider manually generating all the keys we are >>>> likely to need up-front, so that we only ever need to do a single >>>> backup. > > Btw: What HSMs do you use? We use nCipher and they are very easy to > backup. The keys are stored encrypted on the hard disk. Thus, after > creating new keys, we just have to backup the directory with the keys.
The devices we're evaluating are Safenet. Backups cannot be automated as they require a physical hardware token. This is the reason why we want to pre-generate all the keys, to avoid having to perform regular backups manually. Instead we generate all the keys we'll need, backup once, and forget about it. We've also evaluated the nCipher gear, and I am familiar with the backup procedure for those - it's certainly a lot simpler. > A workaround would be to add 100 dummy zones to ODS, use "ods-ksmutil > key generate ..." to generate the keys (+100 ZSKs and 100 +KSKs), and > then remove the dummy zones. Then, when you add new zones and they use > the same policy as the the dummy zones, the new zones will automatically > use the previously generated keys. Would keys be reused for new zones if they were previously associated with a different zone? I don't like the idea of that. G. -- Gavin Brown Chief Technology Officer CentralNic Ltd Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/ CentralNic Ltd is a company registered in England and Wales with company number 4985780. Registered Offices: 35-39 Moorgate, London, EC2R 6AR. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
