[Opendnssec-user] Howto publish an additional DNSKEY-record

Michael Braunoeder mib at nic.at
Thu Dec 1 14:49:26 UTC 2011

Am 01.12.2011 15:30, schrieb Hugo Salgado:
> On 12/01/2011 11:04 AM, Michael Braunoeder wrote:
>> Hi,
>> I'm currently implementing a DNSSEC-Setup and I need some ideas how to
>> fix a specific problem.
>> Our setup looks like this:
>> We use Hardware-HSMs to store the keys (KSKs and ZSKs) and to do the
>> daily work. The DS-Record(s) for the KSK(s) are added to the parent
>> zone. To be prepared in cause of failures of these HSMs, we would like
>> to generate a key stored in a SoftHSM. The DNSKEY-Record of this key
>> should also be added to the signed zone (only the DNSKEY-Record, no
>> signatures with this key should be generated)  and the corresponding
>> DS-Record to the parent zone. For security reasons this SoftHSM should
>> not be available on the server. In case of emergency, the SoftHSM is
>> copied to the server and a key rollover to this key should be done.
>> How can I realize this setup with OpenDNSSEC? Is it possible to keep
>> this key in the "Publish" state until 1.1.2100 (or something like that)?
> What I would do is to add the emergency DNSKEY as a normal RR in the
> plain zone, because OpenDNSSEC doesn't need to maintain its state as a
> key.
> Then, in case of a rollover, it should be a matter of adding a new
> keystore with SoftHSM.

If it would be that easy, this would be great :-)

> Just thinking, never tested.

IIRC I tested it some time ago (with one of the first OpenDNSSEC beta 
versions) and I got an error. But I'll test it again.


More information about the Opendnssec-user mailing list