[Opendnssec-user] Howto publish an additional DNSKEY-record
Michael Braunoeder
mib at nic.at
Thu Dec 1 14:04:33 UTC 2011
Hi,
I'm currently implementing a DNSSEC-Setup and I need some ideas how to
fix a specific problem.
Our setup looks like this:
We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the
daily work. The DS-Record(s) for the KSK(s) are added to the parent
zone. To be prepared in cause of failures of these HSMs, we would like
to generate a key stored in a SoftHSM. The DNSKEY-Record of this key
should also be added to the signed zone (only the DNSKEY-Record, no
signatures with this key should be generated) and the corresponding
DS-Record to the parent zone. For security reasons this SoftHSM should
not be available on the server. In case of emergency, the SoftHSM is
copied to the server and a key rollover to this key should be done.
How can I realize this setup with OpenDNSSEC? Is it possible to keep
this key in the "Publish" state until 1.1.2100 (or something like that)?
Thanks in advance and best,
Michael
More information about the Opendnssec-user
mailing list