[Opendnssec-user] OpenDNSSEC, HSM and key ceremony

Antoin Verschuren Antoin.Verschuren at sidn.nl
Fri Jun 11 09:02:58 UTC 2010

Hi guys,

We're having quite some discussions on operational implementation of OpenDNSSEC, and what the role of the key ceremony is when OpenDNSSEC is used, and how it should be configured.
What we're trying to accomplish is that KSK rollovers should always be done manually in a key ceremony, having an MofN authentication.
We don't want to have the same security constrains for ZSK rollovers.
ZSK rollovers should be done automatically by OpenDNSSEC.

I wonder how ICANN or .se is doing this with OpenDNSSEC.

We're using a LUNA SA HSM.

Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the KSK, at least for signing ?
Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to generate signatures by the KSK's as well right ?
Where are they stored, and how do you pregenerate these ZSK's and signatures for the lifetime of the KSK ?
How do you configure that in OpenDNSSEC so it knows where to get the ZSK's and signatures ?


Do we assume that an HSM has the capability to sign with the KSK during a ZSK rollover ?
In our HSM, if we grant OpenDNSSEC the right to sign with the KSK during the ZSK rollover, OpenDNSSEC also has the right to generate or delete new KSK's (without the M0fN key ceremony).
We can only activate or deactivate the partition where the KSK is stored. When the partition where we store the KSK is deactivated, we cannot use the KSK for signing.


The HSM should have the capability to limit the number of keys on a partition.
In that way, we could have only one partition with one KSK active, and when a new KSK is generated by OpenDNSSEC, on a new partition, it needs a manual M0fN key ceremony to activate that partition.

I'm very interested to hear your thoughts or implementations on the need for the KSK to be accessible directly by OpenDNSSEC, and how you think to limit the access of OpenDNSSEC to KSK rollover or unattended generation of new KSK's.

Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl  http://www.sidn.nl/

More information about the Opendnssec-user mailing list