[Opendnssec-develop] Default to zero standby keys
sion at nominet.org.uk
Tue Jul 6 14:25:26 UTC 2010
> > This is certainly the case for KSKs; I can write more documentation if
> > that will help.
> Documentation is always good.
It is not hooked up to anything yet, Should it be in the FAQ section or have a
link directly from its parent?
> > Is there actually any point in having standby keys set if you can not
> > select a different HSM for these keys?
> Probably not.
> The current standby keys is only good when the reason for the emergency is
> that someone has calculated the private key for the current key. If there
> is a compromise of the key store, then the standby key is probably
> So either we should,
> 1. Introduce the concept of alternative storage place for the standby key
> 2. Remove standby keys and recommend the user to handle that outside
> OpenDNSSEC. E.g. generate your own keys. Add DS to parent and pre-publish
> ZSK in the unsigned zone.
My gut reaction is option 1; if we thought that it was worthwhile to have then
we should do it usefully.
However, if no-one will use it then maybe it is doing more harm than good?
More information about the Opendnssec-develop