[Opendnssec-user] OpenDNSSEC and offline KSKs
mib at nic.at
Wed May 5 09:26:52 UTC 2010
I'm currently thinking about some DNSSEC key handling scenarios and
howto implement them with OpenDNSSEC. One of the scenarios is, to hold
the KSK on a smartcard, pre-generate the ZSKs for a period, lets say one
year, and sign the generated ZSKs with the KSK on the smartcard.
After the ZSK-generation, the KSK-smartcard is put into a safe and the
daily signing work (including the ZSK rollovers) is done only with the
ZSKs and the pregenerated signatures.
Does OpenDNSSEC support such a scenario and how has the configuration
look like? If I understand it correctly, the configured HSMs in the
OpenDNSSEC configuration files have to be online all the time.
Are there any recommendations of such smartcard-HSMs?
Thank in advance and best regards,
More information about the Opendnssec-user