[Opendnssec-user] Why do we need standby keys? Part #1: why
Johan Ihren
johani at autonomica.se
Mon Sep 6 14:42:12 UTC 2010
Hi Rickard,
On Sep 3, 2010, at 12:01 , Rickard Bellgrim wrote:
> On 26 aug 2010, at 17.32, Johan Ihren wrote:
>
>> Given support for keys stored in offline HSMs, supporting standby keys becomes if not trivial at least not a daunting task.
>>
>> I'll post part #2 in a minute, which contains some thoughts on how to support standby keys in opendnssec assuming that HSMs containing keys may be offline.
>
> This is how we will do it.
>
> * Standby keys will become an optional parameter in kasp.xml (and removed from the kasp.xml example)
> * They will be marked as experimental in the documentation (because we do not support offline HSMs yet)
> * The system will handle standby keys, if the user still believe that the current implementation gives them what they want
> * In a future version we will support offline HSMs and standby keys will not be experimental anymore.
This sounds very reasonable. Thanks for reconsidering the issue.
Regards,
Johan
More information about the Opendnssec-user
mailing list