[Opendnssec-user] Predictable HSM key use

Siôn Lloyd sion at nominet.org.uk
Fri Jan 20 08:50:42 UTC 2012

On 20/01/12 07:09, Tomas Simonaitis wrote:
> Hello,
> we are planning to have several signing machines with HSMs
> for redundancy.
> I found earlier discussion, that copying (dumping) kasp.db is enough
> (assuming config files are identical and HSMs have identical
> pregenerated keys) to have second opendnssec machine ready to take over
> signing.
> However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in
> defined order (i.e. picks key in alphabetical order), if so it should be
> possible to start two instances (with same configs, same keys in their
> HSMs) and the same keys should be picked when both opendnssec instances
> roll?
> Would such setup work, or would different opendnssec instances pick
> their next keys at random and go out of sync?

When the enforcer picks a new key to add to a zone it uses the one with 
the lowest id (the primary key created by the database when the keypair 
is generated, not the cka_id).

So, with one zone this is deterministic... However, if multiple zones 
are being signed then it is possible that on one machine they are seen 
in a different order to the other.

This can be mitigated by having a different policy per zone (even if 
they are identical apart from their names). In that case the keys are 
created for the policy and not shared between them.

One other thing to worry about is the human interaction required at 
rollover time; specifically issuing the "ds-seen" command on KSK roll. 
This is a time when the 2 systems could/will get out of sync, it is also 
the time when this could be most problematic.


More information about the Opendnssec-user mailing list