[Opendnssec-develop] Creating keys
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Fri Nov 28 16:47:32 UTC 2008
Olaf Kolkman <olaf at NLnetLabs.nl> wrote on 27/11/2008 16:01:26:
>
> On Nov 27, 2008, at 4:54 PM, John Dickinson wrote:
>
> >
> > So I guess if you have a large zone like co.uk then a couple of
> > seconds in the 6 odd minutes that it would take to sign from scratch
> > is nothing. However, if you have 1000's of small zones or you are
> > dynamically updating every minute then it could make a big difference.
>
> But even then... the key-rollover would take place only once per month
> or so. So this 2 second pain per zone only happens once or twice per
> month.
In this approach, are there any problems in ensuring that the keys are
replicated to a backup HSM before they are used? Do you need any type of
"master" password to export private keys from the HSM?
Stephen
More information about the Opendnssec-develop
mailing list