[Opendnssec-user] Why do we need standby keys?

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Jul 8 11:08:09 UTC 2010

On 8 jul 2010, at 11.55, Mathieu Arnold wrote:

> Well, I'd rather have the possibility of having the choice, OpenDNSSEC
> makes it very easy to handle standby keys. If we wanted to do things
> ourselves, we would have stayed with our in house brewed scripts, which
> were not working that bad :-)
> We have thousands of domains (with only about a hundred signed right now)
> and I can't add the weight of having to handle keys manually to my
> co-workers.
> I do get your point, but nobody forces you to use OpenDNSSEC's standby keys
> capabilities :-)

Yes, if OpenDNSSEC is going to handle standby keys in a good way. Then you need to be able to specify another location for the keys than the HSM you are using. If you are sharing keys between your zones, then there should be a possibility for you to take this HSM offline. Since you want to make sure that the key cannot be stolen. If you are not sharing keys, then the HSM needs to be online because OpenDNSSEC need to create new standby keys to the new zones that you add. If the HSM is online, then you do not want to have the same HSM vendor. Because one reason behind an emergency rollover is that your keys have leaked. Have the keys leaked from one HSM, then it probably have leaked from the other one as well.

If you decide to do the standby handling manually, then generate one KSK and one ZSK. The public key of the ZSK is added to all of your zones. You probably can do it in the same place where you add the NS pointers. Also make sure that you always also add the DS of the standby KSK when you receive updates from OpenDNSSEC. The manual operation is when you generate the keys in the beginning, and when you want to restore from a catastrophic event.

But a real break down of your systems is something that not even OpenDNSSEC can help you with. OpenDNSSEC handles the day to day operation with key rollovers and signing. The standby key would be a last resort when you where not able restore your system. Can you afford a down time if this happens? Then you probably can live without standby keys.

So, what kind of emergency rollovers do you expect?

// Rickard

More information about the Opendnssec-user mailing list