[Opendnssec-develop] Creating keys

Olaf Kolkman olaf at NLnetLabs.nl
Thu Nov 27 11:59:30 UTC 2008

On Nov 27, 2008, at 11:25 AM, John Dickinson wrote:

> Lacking anyone physically present who cares about DNS, DNSSEC or  
> keys to bounce thoughts off I am going to use this mailing list :)
> I am working on the key creation logic of the enforcer.
> A policy is used to specify key and signing parameters for a zone or  
> set of zones.
> Lets look at an example, say the policy specifies that the algorithm  
> to be used for new KSKs is 5 and that the algorithm to be used for  
> ZSKs is 11. (ignore for now any technicalities of exactly how you  
> switch to a new algorithm.). Keys for both KSKs and ZSKs are to be  
> stored in security module 1.
> The enforcer will start for the FIRST TIME and examine the policy -  
> it will see that it needs keys of types 5 and 11. It knows (because  
> we told it) that the capacity of security module 1 is 1000 keys.
> Key generation is expensive so I was planning to pre-create as many  
> keys as possible. So first of all I thought the Enforcer could  
> create 500 keys of each algorithm. Great - that is easy. But  
> consider the following events in the future...

The whole argument is build on the presumption that Key generation is  
so expensive you need to pre-create that many. I do not understand  
that point. In the context of resigning a zone the key-generation is  
only a fraction of the expensed isn't it?

My, maybe naive, thinking is that you only generate keys when you  
actually are about to use them?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081127/5238cbe1/attachment.bin>

More information about the Opendnssec-develop mailing list