[Opendnssec-user] Signer/HSM redundancy and database replication
aristima at csc.fi
Sun Feb 28 06:42:42 UTC 2010
Thank you all for your suggestions. The idea of pregenerating the keys and
manually copying them into the backup HSM sounds feasible. This procedure
could be well combined with the KSK rollover process, as it more or less
requires some human intervention anyway.
However, I'm still missing one thing. I'm able to pregenerate the keys for
a given time interval and I can see them in the HSM with the "ods-hsmutil
list" command. When giving "ods-ksmutil list", the pregenerated keys are not
listed at all, although I think that they should be listed as "GENERATED".
The enforcer does use the pregenerated keys to roll out the keys, though.
More information about the Opendnssec-user