Hi,
If there isn't any bug in the implementation, Knot DNS deletes old keys
from (soft)HSM as well. It would be very impractical otherwise!
Daniel
On 2021-09-08 19:13, Luveh Keraph wrote:
Thanks. The situation that I am addressing is that of a key roll over.
My guess is that when such an
Thanks. The situation that I am addressing is that of a key roll over. My
guess is that when such an event takes place Knot will automatically remove
the obsolete key from the KASP, but not from the HSM. Which, in the case of
SoftHSM, implies that keys will be added to the corresponding token
Hi Luveh,
when just re-signing the zone, Knot does not need to generate any newer
key pairs. It's just still using the key pair it has generated initally
(for each zone separately).
Only in the case of ZSK and KSK rollovers, when the keys (ZSK and KSK,
respectively) reach their configured
When Knot generates a key pair, it will save it in some directory in the
filesystem - in the clear, when using the default cryptographic provider,
or as an encrypted blob when using SoftHSM, or (possibly) a real HSM.
Imagine that I have a setup with many zones, with a signing policy that
causes