[Opendnssec-user] Signer/HSM redundancy and database replication
Antti Ristimäki
aristima at csc.fi
Sun Feb 28 06:42:42 UTC 2010
Hi,
Thank you all for your suggestions. The idea of pregenerating the keys and
manually copying them into the backup HSM sounds feasible. This procedure
could be well combined with the KSK rollover process, as it more or less
requires some human intervention anyway.
However, I'm still missing one thing. I'm able to pregenerate the keys for
a given time interval and I can see them in the HSM with the "ods-hsmutil
list" command. When giving "ods-ksmutil list", the pregenerated keys are not
listed at all, although I think that they should be listed as "GENERATED".
The enforcer does use the pregenerated keys to roll out the keys, though.
Antti
More information about the Opendnssec-user
mailing list