[Opendnssec-develop] [OpenDNSSEC] #146: Feature request: general pool of available keys
OpenDNSSEC
owner-dnssec-trac at kirei.se
Wed Jul 14 13:26:54 UTC 2010
#146: Feature request: general pool of available keys
------------------------+---------------------------------------------------
Reporter: roland | Owner: sion
Type: enhancement | Status: new
Priority: major | Component: Enforcer
Version: trunk | Keywords: key generation
------------------------+---------------------------------------------------
While working on the implementation of our DNSSEC deployment we came to
the conclusion that it would be helpful to have a general pool of pre-
generated keys available (of certain common specifiable sizes, e.g. 10x
1024 bit key and 10x 2048-bit key).
The use case for this is simple: we use HSMs to store key material and we
expect to add new signing policies on a regular basis. We will be using
shared keys (e.g. each university etc. has one set of keys for all its
zones). At regular intervals, we will need to create a new policy when a
new customer enables DNSSEC for its first zone. This is all done by an
automated system. The problem we face is that we cannot start producing
signed zones for this customer/new policy until we have backed up the
newly generated keys that belong to the policy. And our backup procedure
is such that it cannot be done automatically (the HSM requires manual
intervention for security reasons) which means that it may take some time
(days) before this new zone can be taken into production.
This issue could easily be resolved by having a pool of pre-generated keys
available for general use (i.e. not yet assigned to a policy) that the
enforcer can choose from when it needs new keys for a new policy.
Summarising: is it possible to add this feature to the enforcer? I think
there is a use case here for registrars.
--
Ticket URL: <http://trac.opendnssec.org/ticket/146>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list