[Opendnssec-develop] Creating keys
Olaf Kolkman
olaf at NLnetLabs.nl
Thu Nov 27 11:59:30 UTC 2008
On Nov 27, 2008, at 11:25 AM, John Dickinson wrote:
> Lacking anyone physically present who cares about DNS, DNSSEC or
> keys to bounce thoughts off I am going to use this mailing list :)
>
> I am working on the key creation logic of the enforcer.
>
> A policy is used to specify key and signing parameters for a zone or
> set of zones.
>
> Lets look at an example, say the policy specifies that the algorithm
> to be used for new KSKs is 5 and that the algorithm to be used for
> ZSKs is 11. (ignore for now any technicalities of exactly how you
> switch to a new algorithm.). Keys for both KSKs and ZSKs are to be
> stored in security module 1.
>
> The enforcer will start for the FIRST TIME and examine the policy -
> it will see that it needs keys of types 5 and 11. It knows (because
> we told it) that the capacity of security module 1 is 1000 keys.
>
> Key generation is expensive so I was planning to pre-create as many
> keys as possible. So first of all I thought the Enforcer could
> create 500 keys of each algorithm. Great - that is easy. But
> consider the following events in the future...
>
The whole argument is build on the presumption that Key generation is
so expensive you need to pre-create that many. I do not understand
that point. In the context of resigning a zone the key-generation is
only a fraction of the expensed isn't it?
My, maybe naive, thinking is that you only generate keys when you
actually are about to use them?
--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081127/5238cbe1/attachment.bin>
More information about the Opendnssec-develop
mailing list