[Opendnssec-develop] Enforcer: Multiple keys in same role

Yuri Schaeffer yuri at NLnetLabs.nl
Fri Jul 15 15:12:23 UTC 2011

> How would you know which one is the oldest if you only have the
> duration and not the interval? And how would the lifetime help you to
> decide which one to roll?

Ah yes, well a key has an inception date as well. A policy obviously
does not, so inception date has no influence on the policy-key relation.

What I was trying to explain was that we need this (implicit)
relationship between key and policy to decide which keys to keep. It has
no influence on the actual rollover mechanism.

> I was also wondering what you need the repository for? Once the key
> has been created, then libhsm will find it for you. 

The policy tells me which repository to create the keymaterial in. The
keys tell in which it was created. These two can drift apart. After a
while a zone might have a new policy using another HSM but my old keys
must still point to the old HSM.

Having no explicit relation between key and policy makes policy
rollovers trivial.

I want to use the repository for the implicit relationship so someone
could for example sign a zone with two identical keys but stored on a
different HSM.

So I propose to link keys to their policy exactly how they are specified
in the kasp.xml:

> ...
> <KSK>
> 	<Algorithm length="2048">9</Algorithm>
> 	<Lifetime>PT2400S</Lifetime>
> 	<Repository>SoftHSM</Repository>
> </KSK>
> ...


Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list