[Opendnssec-develop] Creating keys

Olaf Kolkman olaf at NLnetLabs.nl
Sun Nov 30 14:46:48 UTC 2008

On Nov 28, 2008, at 5:47 PM, Stephen.Morris at nominet.org.uk wrote:

> Olaf Kolkman <olaf at NLnetLabs.nl> wrote on 27/11/2008 16:01:26:
>> On Nov 27, 2008, at 4:54 PM, John Dickinson wrote:
>>> So I guess if you have a large zone like co.uk then a couple of
>>> seconds in the 6 odd minutes that it would take to sign from scratch
>>> is nothing. However, if you have 1000's of small zones or you are
>>> dynamically updating every minute then it could make a big  
>>> difference.
>> But even then... the key-rollover would take place only once per  
>> month
>> or so. So this 2 second pain per zone only happens once or twice per
>> month.
> In this approach, are there any problems in ensuring that the keys are
> replicated to a backup HSM before they are used?  Do you need any  
> type of
> "master" password to export private keys from the HSM?

And again, here I can see a many zones using one private key. With  
that possibility a number of these questions do not pop up. One  
private key (with many public key instances) that is used for many  
zones. One single generation, one single backup an al this magic.

Not that one priv-key to many zones excludes many-to-many.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081130/0097dbc5/attachment.bin>

More information about the Opendnssec-develop mailing list