[Opendnssec-user] OpenDNSSEC, HSM and key ceremony

Jaromir Talir jaromir.talir at nic.cz
Mon Jan 24 18:19:29 UTC 2011


we are thinking the same way as Michael. Is there some plan to support
this "pregenerated ZSK's and DNSKEY signatures" in future versions of
OpenDNSSEC? I would vote for it and it's not mentioned in
http://www.opendnssec.org/about/release-plan/ .

Or maybe 1.3. item - "Support for signing a root zone" is hiding this
feature and it's right on the way? :)


On Fri, 2010-06-11 at 12:18 +0200, Michael Braunoeder wrote:
> Hi Antoin,
> Am 11.06.2010 11:02, schrieb Antoin Verschuren:
> [...]
>  >
> > Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the KSK, at least for signing ?
> > Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to generate signatures by the KSK's as well right ?
> > Where are they stored, and how do you pregenerate these ZSK's and signatures for the lifetime of the KSK ?
> > How do you configure that in OpenDNSSEC so it knows where to get the ZSK's and signatures ?
> >
> We are currently thinking about such an implementation setup with 
> pregenerated ZSKs and signatures and unfortunately I think such a setup 
> is not possible with the current OpenDNSSEC.
> Best,
> Michael
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Jaromir Talir
technicky reditel / Chief Technical Officer
CZ.NIC, z.s.p.o.  --    .cz domain registry
Americka 23, 120 00 Praha 2, Czech Republic
mailto:jaromir.talir at nic.cz  http://nic.cz/
sip:jaromir.talir at nic.cz tel:+420.222745107
mob:+420.739632712       fax:+420.222745112
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3907 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110124/729c3b70/attachment.bin>

More information about the Opendnssec-user mailing list