[Opendnssec-user] Howto publish an additional DNSKEY-record

Michael Braunoeder mib at nic.at
Thu Dec 1 14:04:33 UTC 2011


I'm currently implementing a DNSSEC-Setup and I need some ideas how to 
fix a specific problem.

Our setup looks like this:
We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the 
daily work. The DS-Record(s) for the KSK(s) are added to the parent 
zone. To be prepared in cause of failures of these HSMs, we would like 
to generate a key stored in a SoftHSM. The DNSKEY-Record of this key 
should also be added to the signed zone (only the DNSKEY-Record, no 
signatures with this key should be generated)  and the corresponding 
DS-Record to the parent zone. For security reasons this SoftHSM should 
not be available on the server. In case of emergency, the SoftHSM is 
copied to the server and a key rollover to this key should be done.

How can I realize this setup with OpenDNSSEC? Is it possible to keep 
this key in the "Publish" state until 1.1.2100 (or something like that)?

Thanks in advance and best,

More information about the Opendnssec-user mailing list