Hi Jakob,
Prior to thanks for your reply , it's very helpfull. Did you mean
as below :
1. I should add a new tag "<Repository>" under the
"<RepositoryList>" in conf.xml
Before change :
<Configuration>
<RepositoryList>
<Repository name="repo1">
.....
</Repository>
</RepositoryList>
.....
<Configuration>
After change :
<Configuration>
<RepositoryList>
<Repository name="repo1">
.....
</Repository>
<Repository name="repo2">
.....
</Repository>
</RepositoryList>
.....
<Configuration>
2. Update the kasp.xml file which part "<Policy>" want to use the
new HSM.
Before change :
<KASP>
<Policy name="default">
<Keys>
<!-- Parameters for KSK
only -->
<KSK>
<Algorithm
length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>repo1</Repository>
</KSK>
<!-- Parameters for ZSK
only -->
<ZSK>
<Algorithm
length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>repo1</Repository>
</ZSK>
</Keys>
</Policy>
</KASP>
After change :
<KASP>
<Policy name="default">
<Keys>
<!-- Parameters for KSK
only -->
<KSK>
<Algorithm
length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>repo2</Repository>
</KSK>
<!-- Parameters for ZSK
only -->
<ZSK>
<Algorithm
length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>repo2</Repository>
</ZSK>
</Keys>
</Policy>
</KASP>
3. Restart the ods and reload all the conf files like " $
./ods-ksmutil update all "
If I miss something please let me know , thank you very much.
Best Regards,
Dean.
At 2015-11-17 16:58:59, "Jakob Schlyter" <[email protected]> wrote:
>
>> On 17 nov. 2015, at 05:13, yaohongyuan <[email protected]> wrote:
>>
>> Do you think it is possible for opendnssec to connect to two HSMs and
>> sign into one zone file?
>
>Yes, you can configure multiple repositories. If you update the KASP so that
>new keys to use the new HSM, it will automatically be used when rolling over.
>
> jakob
>
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
