[Opendnssec-user] Signer/HSM redundancy and database replication

Antti Ristimäki aristima at csc.fi
Sun Feb 28 06:42:42 UTC 2010


Thank you all for your suggestions. The idea of pregenerating the keys and 
manually copying them into the backup HSM sounds feasible. This procedure 
could be well combined with the KSK rollover process, as it more or less 
requires some human intervention anyway.

However, I'm still missing one thing. I'm able to pregenerate the keys for 
a given time interval and I can see them in the HSM with the "ods-hsmutil 
list" command. When giving "ods-ksmutil list", the pregenerated keys are not 
listed at all, although I think that they should be listed as "GENERATED". 
The enforcer does use the pregenerated keys to roll out the keys, though.


More information about the Opendnssec-user mailing list