[Opendnssec-develop] Creating keys
patrik.wallstrom at iis.se
Tue Dec 2 13:21:10 UTC 2008
On Dec 2, 2008, at 2:11 PM, Roy Arends wrote:
>> But do we believe OpenDNSSEC should be the solution for such
>> few-domain admins? Or should they be redirected to a tool like
>> Holger's ZKT, which does well for smaller roll-out scenarios?
>> I think the dynamic-signer properties and use of PKCS #11 can
>> make OpenDNSSEC useful in places where ZKT is not active (yet).
> OpenDNSSEC should be _the_ solution for such few-domain admins. The
> mandate that we have is that OpenDNSSEC should be the common tool for
> managing signed domains. If you have one domain, and want it signed,
> Fwiw I do not see a market for USB tokens as a keystore in this
> sense. USB
> tokens tend to get lost, stolen, or left connected to a device (or
> left in
> a bar or taxi, if you work for British Government). Note that data
> to be signed periodically and regularly. If you have a high value
> use a proper fips-140-2 level 4 HSM. If you have huge number of highly
> volatile domains, use an HSM that is specifically build for
> I think it is fine, in the general case, to have a softtoken.
I must agree with Roy here. If you have such security requirements
that mandate that you must store your keys in a hardware device, I
don't think a USB token is a reasonable solution in the long run. The
cost of using a real HSM is lowered each year and the administrative
costs of handling USB tokens are soon possibly at the same level.
>> In summary, I believe
>> * that USB tokens make it necessary to share key pairs among zones
>> * that provider-signing makes it necessary to support multiple key
> I see no issue with using a key for multiple domains. I see no issue
> using a key per domain. Both policies can be implemented.
Yes. But how do we specify this in the policy?
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the Opendnssec-develop