[Opendnssec-user] NOTE: keys generated in repository SoftHSM will not become active until they have been backed up

Rickard Bellgrim rickard at opendnssec.org
Tue Feb 28 07:50:15 UTC 2012

> Actually, I find that feature rather strange. What other software on
> a unix server is asserting that you manually tell it you made a
> backup before it can be used?
> IMHO, that's a feture best retired, especially because it is giving
> people issues to start signing in the first place. But if people
> want to keep it, allow signing anyway, but nag via a daily cron job?

The feature is turned off by default. So people should not have a
problem unless it is enabled by them. You enable it by adding the
<RequireBackup /> for your repository in conf.xml.

Most security features in Unix are localized. DNS is global and have
its special properties. If you loose your keys, then the only way of
replacing them is to first go unsigned. If you e.g. accidently delete
your server's SSH key, then you can replace it and the users will just
get a warning that a new key is present at the server, which can be
overridden. You do not need disable the security mechanisms and have
anonymous access to the server. With DNSSEC, if you just switch your
keys without going unsigned or doing a proper key rollover (which you
can't since you lost your keys), the resolvers will/may have cached
information which makes it impossible to validate the data and the
user will be denied access to the information.

// Rickard

More information about the Opendnssec-user mailing list