[Opendnssec-develop] Default to zero standby keys
Sion Lloyd
sion at nominet.org.uk
Tue Jul 6 14:25:26 UTC 2010
> > This is certainly the case for KSKs; I can write more documentation if
> > that will help.
>
> Documentation is always good.
http://trac.opendnssec.org/wiki/Signer/Using/KeyStates
It is not hooked up to anything yet, Should it be in the FAQ section or have a
link directly from its parent?
> > Is there actually any point in having standby keys set if you can not
> > select a different HSM for these keys?
>
> Probably not.
>
> The current standby keys is only good when the reason for the emergency is
> that someone has calculated the private key for the current key. If there
> is a compromise of the key store, then the standby key is probably
> compromised.
>
> So either we should,
> 1. Introduce the concept of alternative storage place for the standby key
> or
> 2. Remove standby keys and recommend the user to handle that outside
> OpenDNSSEC. E.g. generate your own keys. Add DS to parent and pre-publish
> ZSK in the unsigned zone.
My gut reaction is option 1; if we thought that it was worthwhile to have then
we should do it usefully.
However, if no-one will use it then maybe it is doing more harm than good?
Sion
More information about the Opendnssec-develop
mailing list