[Opendnssec-develop] Default to zero standby keys

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Jul 6 13:34:22 UTC 2010

On 6 jul 2010, at 15.03, Sion Lloyd wrote:

> This is certainly the case for KSKs; I can write more documentation if that 
> will help.

Documentation is always good.

> Is there actually any point in having standby keys set if you can not select a 
> different HSM for these keys?

Probably not.

The current standby keys is only good when the reason for the emergency is that someone has calculated the private key for the current key. If there is a compromise of the key store, then the standby key is probably compromised.

So either we should,
1. Introduce the concept of alternative storage place for the standby key
2. Remove standby keys and recommend the user to handle that outside OpenDNSSEC. E.g. generate your own keys. Add DS to parent and pre-publish ZSK in the unsigned zone.

> I am happy for the default to be set to zero regardless of the answer to the 
> above.

I will commit that to trunk and 1.1 branch.

// Rickard

More information about the Opendnssec-develop mailing list