[Opendnssec-develop] Key (HSM) backup

sion at nominet.org.uk sion at nominet.org.uk
Thu Aug 13 07:25:04 UTC 2009


> >> Yeah, have a tag similar to <NoBackup />
> >> The reason to have a negative tag is because you want to opt-in the
> >> security features.
> >>
> >> Is this tag then for
> >>
> >> <Policy><Keys>
> >>
> >> Or
> >>
> >> <Policy>
> >
> > Or even a property of the repository?
>
> yes, that makes sense. perhaps something like this:
>
>    Configuration/RepositoryList/Repository/RequireBackup (empty element)
>
> it is a feature you turn on. most people will assume that they don't
> have to flag keys as backed up so the default should be off IMHO.

So the default is to be able to use keys that are not backed up? I thought
that this was the less desirable option...

Anyway, I'll make sure that a suitably apocalyptic message is logged if a
non-backed up key becomes active.

Sion




More information about the Opendnssec-develop mailing list