[Opendnssec-user] OpenDNSSEC and offline KSKs

Jakob Schlyter jakob at kirei.se
Wed May 5 12:26:50 UTC 2010

On 5 maj 2010, at 11.26, Michael Braunoeder wrote:

> I'm currently thinking about some DNSSEC key handling scenarios and howto implement them with OpenDNSSEC. One of the scenarios is, to hold the KSK on a smartcard, pre-generate the ZSKs for a period, lets say one year, and sign the generated ZSKs with the KSK on the smartcard.
> After the ZSK-generation, the KSK-smartcard is put into a safe and the daily signing work (including the ZSK rollovers) is done only with the ZSKs and the pregenerated signatures.
> Does OpenDNSSEC support such a scenario and how has the configuration look like? If I understand it correctly, the configured HSMs in the OpenDNSSEC configuration files have to be online all the time.

OpenDNSSEC does not currently support any type of offline HSM, sorry.

> Are there any recommendations of such smartcard-HSMs?

there are several smartcard HSMs that you can use with OpenDNSSEC today. I would start looking at the ones supported by OpenSC, see http://www.opensc-project.org/opensc/wiki/SupportedHardware for a list.


More information about the Opendnssec-user mailing list