[Opendnssec-user] Predictable HSM key use
sion at nominet.org.uk
Fri Jan 20 08:50:42 UTC 2012
On 20/01/12 07:09, Tomas Simonaitis wrote:
> we are planning to have several signing machines with HSMs
> for redundancy.
> I found earlier discussion, that copying (dumping) kasp.db is enough
> (assuming config files are identical and HSMs have identical
> pregenerated keys) to have second opendnssec machine ready to take over
> However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in
> defined order (i.e. picks key in alphabetical order), if so it should be
> possible to start two instances (with same configs, same keys in their
> HSMs) and the same keys should be picked when both opendnssec instances
> Would such setup work, or would different opendnssec instances pick
> their next keys at random and go out of sync?
When the enforcer picks a new key to add to a zone it uses the one with
the lowest id (the primary key created by the database when the keypair
is generated, not the cka_id).
So, with one zone this is deterministic... However, if multiple zones
are being signed then it is possible that on one machine they are seen
in a different order to the other.
This can be mitigated by having a different policy per zone (even if
they are identical apart from their names). In that case the keys are
created for the policy and not shared between them.
One other thing to worry about is the human interaction required at
rollover time; specifically issuing the "ds-seen" command on KSK roll.
This is a time when the 2 systems could/will get out of sync, it is also
the time when this could be most problematic.
More information about the Opendnssec-user