[Opendnssec-user] OpenDNSSEC, HSM and key ceremony
Michael Braunoeder
mib at nic.at
Fri Jun 11 10:18:32 UTC 2010
Hi Antoin,
Am 11.06.2010 11:02, schrieb Antoin Verschuren:
[...]
>
> Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the KSK, at least for signing ?
> Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to generate signatures by the KSK's as well right ?
> Where are they stored, and how do you pregenerate these ZSK's and signatures for the lifetime of the KSK ?
> How do you configure that in OpenDNSSEC so it knows where to get the ZSK's and signatures ?
>
We are currently thinking about such an implementation setup with
pregenerated ZSKs and signatures and unfortunately I think such a setup
is not possible with the current OpenDNSSEC.
Best,
Michael
More information about the Opendnssec-user
mailing list