[Opendnssec-user] Predictable HSM key use

Rick van Rein rick at openfortress.nl
Fri Jan 20 22:56:57 UTC 2012


Hi Thomas,

> we are planning to have several signing machines with HSMs
> for redundancy.
> I found earlier discussion, that copying (dumping) kasp.db is enough
> (assuming config files are identical and HSMs have identical
> pregenerated keys) to have second opendnssec machine ready to take over
> signing.

We use MySQL replication for the KASP database, so we normally have
pretty-near-live updates.  Note that earlier versions of the KASP
would not work under MySQL's autoincrement-by-N setup as is used
for multi-master-mode-MySQL.

> However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in
> defined order (i.e. picks key in alphabetical order), if so it should be
> possible to start two instances (with same configs, same keys in their
> HSMs) and the same keys should be picked when both opendnssec instances
> roll?

How do you establish those duplicated keys?  Are you using an HSM that
does replicate keys, but that does not provide one integrated PKCS #11
service?

> Would such setup work, or would different opendnssec instances pick
> their next keys at random and go out of sync?

You should think about the signatures as well.  Are you generating
those only on one machine at a time?  (The other being a hot standby?)

If both are actively signing, they might interface.  The signatures
generated could have slightly different timing AFAIK, due to the
variations implemented to spread the computational load.  Two KASP
instances are likely to have different timing.

With DSA, the signature involves some random material.  Since the
private DSA key can be derived if you could replay that randomness
for two different signatures, you should not try to sync this
random material if your life depended on it -- then better avoid
DSA and use RSA instead, which is also a better idea than DSA
anyway, for bitlength-scalable security and faster resolving.


Hope this helps,
 -Rick



More information about the Opendnssec-user mailing list