[Opendnssec-user] Key rollovers

Johan Ihren johani at autonomica.se
Mon Nov 16 08:37:42 UTC 2009


On 16 Nov 2009, at 08:22, Antti Ristimäki wrote:

> Just wondering, whether it's possible to add some level of extra
> authentication to the key rollover process? Now, if one can access the
> OpenDNSSEC server with sufficient privileges, he or she can trigger  
> the
> key rollover by giving the "ods-ksmutil key rollover..." command,
> right?
> It has to be noted, though, that the ability to merely roll the key is
> not so critical if one is not authorized to update the DS record in  
> the
> parent zone. However, it would be nice to have some mechanism to  
> prevent
> a single user to roll the keys, especially KSK.

Lock the server into a cage that requires two physical keys?



More information about the Opendnssec-user mailing list