[Opendnssec-user] Predictable HSM key use

Paul Wouters paul at nohats.ca
Fri Jan 20 22:39:16 UTC 2012


On Fri, 20 Jan 2012, Tomas Simonaitis wrote:

> we are planning to have several signing machines with HSMs
> for redundancy.
> I found earlier discussion, that copying (dumping) kasp.db is enough
> (assuming config files are identical and HSMs have identical
> pregenerated keys) to have second opendnssec machine ready to take over
> signing.
>
> However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in
> defined order (i.e. picks key in alphabetical order), if so it should be
> possible to start two instances (with same configs, same keys in their
> HSMs) and the same keys should be picked when both opendnssec instances
> roll?
> Would such setup work, or would different opendnssec instances pick
> their next keys at random and go out of sync?

It picks it based on age, so it should be the same on multiple
instances, provided you copy everything. In my tests, I copied:

/etc/opendnssec
/var/opendnssec
/root/Keyper  (for the hardware HSM I used in this setup)

Then of course you also need to use the HSM vendor procedure for copying
the HSM content from one unit to the backup unit.

Paul



More information about the Opendnssec-user mailing list