[Opendnssec-develop] Creating keys

Patrik Wallstrom patrik.wallstrom at iis.se
Tue Dec 2 13:21:10 UTC 2008


On Dec 2, 2008, at 2:11 PM, Roy Arends wrote:

>>   But do we believe OpenDNSSEC should be the solution for such
>>   few-domain admins?  Or should they be redirected to a tool like
>>   Holger's ZKT, which does well for smaller roll-out scenarios?
>>   I think the dynamic-signer properties and use of PKCS #11 can
>>   make OpenDNSSEC useful in places where ZKT is not active (yet).
>
> OpenDNSSEC should be _the_ solution for such few-domain admins. The
> mandate that we have is that OpenDNSSEC should be the common tool for
> managing signed domains. If you have one domain, and want it signed,  
> use
> OpenDNSSEC.
>
> Fwiw I do not see a market for USB tokens as a keystore in this  
> sense. USB
> tokens tend to get lost, stolen, or left connected to a device (or  
> left in
> a bar or taxi, if you work for British Government). Note that data  
> needs
> to be signed periodically and regularly. If you have a high value  
> domain,
> use a proper fips-140-2 level 4 HSM. If you have huge number of highly
> volatile domains, use an HSM that is specifically build for  
> acceleration.
> I think it is fine, in the general case, to have a softtoken.

I must agree with Roy here. If you have such security requirements  
that mandate that you must store your keys in a hardware device, I  
don't think a USB token is a reasonable solution in the long run. The  
cost of using a real HSM is lowered each year and the administrative  
costs of handling USB tokens are soon possibly at the same level.

>> In summary, I believe
>> * that USB tokens make it necessary to share key pairs among zones
>> * that provider-signing makes it necessary to support multiple key  
>> pairs
>
> I see no issue with using a key for multiple domains. I see no issue  
> with
> using a key per domain. Both policies can be implemented.

Yes. But how do we specify this in the policy?

-- 
Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081202/6ac97d3f/attachment.bin>


More information about the Opendnssec-develop mailing list