[Opendnssec-develop] Key (HSM) backup
Rickard Bondesson
rickard.bondesson at iis.se
Wed Aug 12 12:32:46 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> > My preference is to remove the "backup delay" and force use of
> > "ksmutil backup done".
>
> ++
>
> do we need an option to turn this off? I believe so.
+1
Yeah, have a tag similar to <NoBackup />
The reason to have a negative tag is because you want to opt-in the security features.
Is this tag then for
<Policy><Keys>
Or
<Policy>
> > p.s. If a key has not been backed up is it still okay to
> prepublish
> > it? I
> > was only going to stop it from becoming active, please tell me if
> > this is
> > wrong.
>
> dunno. Rickard?
+1
No problem of prepublishing the key, since the key is not in use. If the key is lost then you will not break anything. The only thing is that it would take somewhat longer to roll the current key after it has been restored, since you have no prepublished key in the backup. But that is not an issue.
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSoK2buCjgaNTdVjaAQjb+wf/QpOiHonImHkEMuqs98DeZRrMImAm9g19
7p4Z/zVr8ftmCWFVBgSH/VkftX4lTBHdQMoDsTB9f9YY9wBqbRAY/SWvUDxaDuB6
c327fCn8ehpLWcjNzl/jMmGnbjcG2HGYeKICjb9JLhWVx/SJ54wzSuZY/Sa0L++b
YFsXuvf+pvRrylIqiajEkpAbGKeq8/PRISDGF6vEeo5+XFGM5VkS7hiZqav2iWKg
tkmMNbdtrRBt8aAAMGgrSH/hol19a3gtVbGa0on1LiGZqmdFNYdGr1cO5353NtCp
MT4T1zaxDYq8f5LI2a2SCmWwgMe4axj0wZ8ybtMSMVfApjhdy60AIQ==
=goBK
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list