[Opendnssec-user] Why do we need standby keys? Part #2: how

Thu Aug 26 15:32:47 UTC 2010

This is what came out of our discussion of how to deal with standby keys stored in potentially offline HSMs. It is Stephen's text but I'm posting it whith his permission.

Johan

-----

In proposing a new model for the handling of standby keys in OpenDNSSEC, it is assumed that the most likely cause of a key compromise is the compromise of the HSM in which the key is stored. It is also assumed that an HSM is most likely to be compromised if it is online all the time.  

This suggests that a standby key is best stored in an HSM that is not readily accessible. How this is achieved depends on the HSM: perhaps the device is not connected to the network; perhaps the HSM needs information on on a smart card that is usually held in a safe.  Either way OpenDNSSEC needs to be able to handle the situation where it has information about a key in its database but where the associated HSM is not available.

So the proposal for the handling of standby keys in OpenDNSSEC is:

1. The user creates a standby key for a zone (or zones), specifying an HSM in which the key is to be created.  This HSM must be online at the time of key creation, but can be taken offline afterwards.

2. KASP stores the ID of the key and HSM in its database.  It also accesses the public part of the key and stores that in the database as well.

3. When KASP passes key information to the signer (currently just key IDs and DNSKEY information), it also passes the public key information for all standby keys for the zone.

4. The signer constructs the DNSKEY records for the standby key from the public key information received from KASP and includes the key into the DNSKEY RRset.  

(The point here is that neither KASP nor the signer access the HSM associated with the standby key during the signing process.)

If the standby key has to be activated, the appropriate HSM is connected and the states of the keys adjusted so that the standby key is set up as the active key's successor and the active key is marked for retirement.  Assuming that the standby key has been in the zone for long enough, forcing a re-signing pass will roll the key.