On 16.07.2013 17:49, Gavin Brown wrote:
We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
likely to need up-front, so that we only ever need to do a single
backup.
Btw: What HSMs do you use? We use nCipher and they are very easy to
backup. The keys are stored encrypted on the hard disk. Thus, after
creating new keys, we just have to backup the directory with the keys.
The devices we're evaluating are Safenet. Backups cannot be automated as
they require a physical hardware token. This is the reason why we want
to pre-generate all the keys, to avoid having to perform regular backups
manually. Instead we generate all the keys we'll need, backup once, and
forget about it.
We've also evaluated the nCipher gear, and I am familiar with the backup
procedure for those - it's certainly a lot simpler.
A workaround would be to add 100 dummy zones to ODS, use "ods-ksmutil
key generate ..." to generate the keys (+100 ZSKs and 100 +KSKs), and
then remove the dummy zones. Then, when you add new zones and they use
the same policy as the the dummy zones, the new zones will automatically
use the previously generated keys.
Would keys be reused for new zones if they were previously associated
with a different zone? I don't like the idea of that.
Yes (I just tested it with ODS 1.3.9).
Keys will be generated in the HSM and are stored in the kasp.db. In
kasp.db the active keys are assigned to a certain zone, but the
"not-yet-active" keys are only assigned to a policy, thus they will also
be used by zones which were added later, but use the same policy.
regards
Klaus
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
