[Opendnssec-user] Howto publish an additional DNSKEY-record

Hugo Salgado hsalgado at nic.cl
Thu Dec 1 14:30:12 UTC 2011

On 12/01/2011 11:04 AM, Michael Braunoeder wrote:
> Hi,
> I'm currently implementing a DNSSEC-Setup and I need some ideas how to
> fix a specific problem.
> Our setup looks like this:
> We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the
> daily work. The DS-Record(s) for the KSK(s) are added to the parent
> zone. To be prepared in cause of failures of these HSMs, we would like
> to generate a key stored in a SoftHSM. The DNSKEY-Record of this key
> should also be added to the signed zone (only the DNSKEY-Record, no
> signatures with this key should be generated)  and the corresponding
> DS-Record to the parent zone. For security reasons this SoftHSM should
> not be available on the server. In case of emergency, the SoftHSM is
> copied to the server and a key rollover to this key should be done.
> How can I realize this setup with OpenDNSSEC? Is it possible to keep
> this key in the "Publish" state until 1.1.2100 (or something like that)?

What I would do is to add the emergency DNSKEY as a normal RR in the
plain zone, because OpenDNSSEC doesn't need to maintain its state as a

Then, in case of a rollover, it should be a matter of adding a new
keystore with SoftHSM.

Just thinking, never tested.


More information about the Opendnssec-user mailing list