[Opendnssec-user] OpenDNSSEC, HSM and key ceremony
Jaromir Talir
jaromir.talir at nic.cz
Mon Jan 24 18:19:29 UTC 2011
Hi,
we are thinking the same way as Michael. Is there some plan to support
this "pregenerated ZSK's and DNSKEY signatures" in future versions of
OpenDNSSEC? I would vote for it and it's not mentioned in
http://www.opendnssec.org/about/release-plan/ .
Or maybe 1.3. item - "Support for signing a root zone" is hiding this
feature and it's right on the way? :)
Regards,
Jaromir
On Fri, 2010-06-11 at 12:18 +0200, Michael Braunoeder wrote:
> Hi Antoin,
>
> Am 11.06.2010 11:02, schrieb Antoin Verschuren:
> [...]
> >
> > Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the KSK, at least for signing ?
> > Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to generate signatures by the KSK's as well right ?
> > Where are they stored, and how do you pregenerate these ZSK's and signatures for the lifetime of the KSK ?
> > How do you configure that in OpenDNSSEC so it knows where to get the ZSK's and signatures ?
> >
>
> We are currently thinking about such an implementation setup with
> pregenerated ZSKs and signatures and unfortunately I think such a setup
> is not possible with the current OpenDNSSEC.
>
> Best,
> Michael
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
Jaromir Talir
technicky reditel / Chief Technical Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- .cz domain registry
Americka 23, 120 00 Praha 2, Czech Republic
mailto:jaromir.talir at nic.cz http://nic.cz/
sip:jaromir.talir at nic.cz tel:+420.222745107
mob:+420.739632712 fax:+420.222745112
-------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3907 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110124/729c3b70/attachment.bin>
More information about the Opendnssec-user
mailing list