[Opendnssec-user] Key rollovers
Johan Ihren
johani at autonomica.se
Mon Nov 16 08:37:42 UTC 2009
Hi,
On 16 Nov 2009, at 08:22, Antti Ristimäki wrote:
> Just wondering, whether it's possible to add some level of extra
> authentication to the key rollover process? Now, if one can access the
> OpenDNSSEC server with sufficient privileges, he or she can trigger
> the
> key rollover by giving the "ods-ksmutil key rollover..." command,
> right?
>
> It has to be noted, though, that the ability to merely roll the key is
> not so critical if one is not authorized to update the DS record in
> the
> parent zone. However, it would be nice to have some mechanism to
> prevent
> a single user to roll the keys, especially KSK.
Lock the server into a cage that requires two physical keys?
Regards,
Johan
More information about the Opendnssec-user
mailing list