[Opendnssec-user] OpenDNSSEC and offline KSKs

Michael Braunoeder mib at nic.at
Wed May 5 09:26:52 UTC 2010


I'm currently thinking about some DNSSEC key handling scenarios and 
howto implement them with OpenDNSSEC. One of the scenarios is, to hold 
the KSK on a smartcard, pre-generate the ZSKs for a period, lets say one 
year, and sign the generated ZSKs with the KSK on the smartcard.
After the ZSK-generation, the KSK-smartcard is put into a safe and the 
daily signing work (including the ZSK rollovers) is done only with the 
ZSKs and the pregenerated signatures.

Does OpenDNSSEC support such a scenario and how has the configuration 
look like? If I understand it correctly, the configured HSMs in the 
OpenDNSSEC configuration files have to be online all the time.

Are there any recommendations of such smartcard-HSMs?

Thank in advance and best regards,

More information about the Opendnssec-user mailing list