On 17/07/13 02:26, Gavin Brown wrote: > Hi Klaus, Hi Gavin,
> >> On 16.07.2013 13:30, Gavin Brown wrote: >>> Hi there, >>> >>> We are evaluating an HSM for use with OpenDNSSEC. The vendor has >>> suggested that we consider manually generating all the keys we are >>> likely to need up-front, so that we only ever need to do a single backup. >>> >>> We're using this command to generate the keys: >>> >>> ods-ksmutil key generate --policy default --interval [PERIOD] >>> >>> where [PERIOD] is: >>> >>> number of zones * expected life of the system >> >> IIRC it is not necessary to specify 1000 years. If you have configured >> 100 zones using all the default policy, then it should be fine to just >> specify 10Y as interval - ODS automatically detects that this policy is >> used for 100 zones and automatically generates 100 times the required keys. > > The system currently has no zones in it - it's completely fresh. We > won't be adding zones until we know what they are, but the keys need to > in place before the zones are added. We had to see on this issue because by policy we generate and backup keys once a year, but zones to be signed could be added any time. We found two alternatives: generate keys of certain size using ods-hsmutil and later on allocate them to a policy/zone using ods-ksmutil key import, or create "placeholder" zones, create keys for them and when needed, add the zone to be signed and re-allocate the keys to that zone using a script that "hacks" the KASP db. The first option is cleaner, but requires to keep track of the CKA_ID of the keys created. The second option works better with the generation process, but allocating the keys requires some hacking (we have a script developed and we've used successfully). I hope this info helps, Cheers, > > G. > -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
