[Opendnssec-user] Howto publish an additional DNSKEY-record
Michael Braunoeder
mib at nic.at
Thu Dec 1 14:49:26 UTC 2011
Am 01.12.2011 15:30, schrieb Hugo Salgado:
> On 12/01/2011 11:04 AM, Michael Braunoeder wrote:
>> Hi,
>>
>> I'm currently implementing a DNSSEC-Setup and I need some ideas how to
>> fix a specific problem.
>>
>> Our setup looks like this:
>> We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the
>> daily work. The DS-Record(s) for the KSK(s) are added to the parent
>> zone. To be prepared in cause of failures of these HSMs, we would like
>> to generate a key stored in a SoftHSM. The DNSKEY-Record of this key
>> should also be added to the signed zone (only the DNSKEY-Record, no
>> signatures with this key should be generated) and the corresponding
>> DS-Record to the parent zone. For security reasons this SoftHSM should
>> not be available on the server. In case of emergency, the SoftHSM is
>> copied to the server and a key rollover to this key should be done.
>>
>> How can I realize this setup with OpenDNSSEC? Is it possible to keep
>> this key in the "Publish" state until 1.1.2100 (or something like that)?
>
> What I would do is to add the emergency DNSKEY as a normal RR in the
> plain zone, because OpenDNSSEC doesn't need to maintain its state as a
> key.
>
> Then, in case of a rollover, it should be a matter of adding a new
> keystore with SoftHSM.
If it would be that easy, this would be great :-)
> Just thinking, never tested.
IIRC I tested it some time ago (with one of the first OpenDNSSEC beta
versions) and I got an error. But I'll test it again.
Best,
Michael
More information about the Opendnssec-user
mailing list