[Opendnssec-develop] [OpenDNSSEC] #146: Feature request: general pool of available keys

OpenDNSSEC owner-dnssec-trac at kirei.se
Wed Jul 14 13:26:54 UTC 2010

#146: Feature request: general pool of available keys
Reporter:  roland       |       Owner:  sion          
    Type:  enhancement  |      Status:  new           
Priority:  major        |   Component:  Enforcer      
 Version:  trunk        |    Keywords:  key generation
 While working on the implementation of our DNSSEC deployment we came to
 the conclusion that it would be helpful to have a general pool of pre-
 generated keys available (of certain common specifiable sizes, e.g. 10x
 1024 bit key and 10x 2048-bit key).

 The use case for this is simple: we use HSMs to store key material and we
 expect to add new signing policies on a regular basis. We will be using
 shared keys (e.g. each university etc. has one set of keys for all its
 zones). At regular intervals, we will need to create a new policy when a
 new customer enables DNSSEC for its first zone. This is all done by an
 automated system. The problem we face is that we cannot start producing
 signed zones for this customer/new policy until we have backed up the
 newly generated keys that belong to the policy. And our backup procedure
 is such that it cannot be done automatically (the HSM requires manual
 intervention for security reasons) which means that it may take some time
 (days) before this new zone can be taken into production.

 This issue could easily be resolved by having a pool of pre-generated keys
 available for general use (i.e. not yet assigned to a policy) that the
 enforcer can choose from when it needs new keys for a new policy.

 Summarising: is it possible to add this feature to the enforcer? I think
 there is a use case here for registrars.

Ticket URL: <http://trac.opendnssec.org/ticket/146>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list