[Opendnssec-develop] Default to zero standby keys

Sion Lloyd sion at nominet.org.uk
Tue Jul 6 14:25:26 UTC 2010

> > This is certainly the case for KSKs; I can write more documentation if
> > that will help.
> Documentation is always good.


It is not hooked up to anything yet, Should it be in the FAQ section or have a 
link directly from its parent?

> > Is there actually any point in having standby keys set if you can not
> > select a different HSM for these keys?
> Probably not.
> The current standby keys is only good when the reason for the emergency is
> that someone has calculated the private key for the current key. If there
> is a compromise of the key store, then the standby key is probably
> compromised.
> So either we should,
> 1. Introduce the concept of alternative storage place for the standby key
> or
> 2. Remove standby keys and recommend the user to handle that outside
> OpenDNSSEC. E.g. generate your own keys. Add DS to parent and pre-publish
> ZSK in the unsigned zone.

My gut reaction is option 1; if we thought that it was worthwhile to have then 
we should do it usefully. 

However, if no-one will use it then maybe it is doing more harm than good?


More information about the Opendnssec-develop mailing list