[Opendnssec-user] Predictable HSM key use

Tomas Simonaitis simtom at domreg.lt
Fri Jan 20 07:09:36 UTC 2012


Hello,

we are planning to have several signing machines with HSMs
for redundancy.
I found earlier discussion, that copying (dumping) kasp.db is enough
(assuming config files are identical and HSMs have identical
pregenerated keys) to have second opendnssec machine ready to take over
signing.

However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in
defined order (i.e. picks key in alphabetical order), if so it should be
possible to start two instances (with same configs, same keys in their
HSMs) and the same keys should be picked when both opendnssec instances
roll?
Would such setup work, or would different opendnssec instances pick
their next keys at random and go out of sync?

Regards,
Tomas



More information about the Opendnssec-user mailing list