[Opendnssec-develop] Creating keys

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Fri Nov 28 16:47:32 UTC 2008

Olaf Kolkman <olaf at NLnetLabs.nl> wrote on 27/11/2008 16:01:26:

> On Nov 27, 2008, at 4:54 PM, John Dickinson wrote:
> >
> > So I guess if you have a large zone like co.uk then a couple of 
> > seconds in the 6 odd minutes that it would take to sign from scratch 
> > is nothing. However, if you have 1000's of small zones or you are 
> > dynamically updating every minute then it could make a big difference.
> But even then... the key-rollover would take place only once per month 
> or so. So this 2 second pain per zone only happens once or twice per 
> month.

In this approach, are there any problems in ensuring that the keys are 
replicated to a backup HSM before they are used?  Do you need any type of 
"master" password to export private keys from the HSM?


More information about the Opendnssec-develop mailing list