[Opendnssec-user] RE: OpenDNSSEC, HSM and key ceremony

[Brett Carr]

Antoin,

> To: Open DNSSEC List
> Subject: [Opendnssec-user] OpenDNSSEC, HSM and key ceremony
> 
> Hi guys,
> 
> We're having quite some discussions on operational implementation of
> OpenDNSSEC, and what the role of the key ceremony is when OpenDNSSEC is
> used, and how it should be configured.
> What we're trying to accomplish is that KSK rollovers should always be
> done manually in a key ceremony, having an MofN authentication.
> We don't want to have the same security constrains for ZSK rollovers.
> ZSK rollovers should be done automatically by OpenDNSSEC.
> 
> I wonder how ICANN or .se is doing this with OpenDNSSEC.
> 
> We're using a LUNA SA HSM.
> 
> Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the
> KSK, at least for signing ?
> Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to
> generate signatures by the KSK's as well right ?
> Where are they stored, and how do you pregenerate these ZSK's and
> signatures for the lifetime of the KSK ?
> How do you configure that in OpenDNSSEC so it knows where to get the
> ZSK's and signatures ?
> 
> Or:
> 
> Do we assume that an HSM has the capability to sign with the KSK during
> a ZSK rollover ?
> In our HSM, if we grant OpenDNSSEC the right to sign with the KSK
> during the ZSK rollover, OpenDNSSEC also has the right to generate or
> delete new KSK's (without the M0fN key ceremony).


You could pre-generate some/all your ZSK's and/or KSK's and also add the ManualKeyGeneration config statement to conf.xml then opendnssec wouldn't generate keys at all.

Brett