[Opendnssec-user] OpenDNSSEC, HSM and key ceremony

Michael Braunoeder mib at nic.at
Fri Jun 11 10:18:32 UTC 2010

Hi Antoin,

Am 11.06.2010 11:02, schrieb Antoin Verschuren:
> Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the KSK, at least for signing ?
> Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to generate signatures by the KSK's as well right ?
> Where are they stored, and how do you pregenerate these ZSK's and signatures for the lifetime of the KSK ?
> How do you configure that in OpenDNSSEC so it knows where to get the ZSK's and signatures ?

We are currently thinking about such an implementation setup with 
pregenerated ZSKs and signatures and unfortunately I think such a setup 
is not possible with the current OpenDNSSEC.


More information about the Opendnssec-user mailing list