[Opendnssec-user] Predictable HSM key use
simtom at domreg.lt
Sat Jan 21 07:47:07 UTC 2012
On 20/01/2012 10:50, Siôn Lloyd wrote:
> One other thing to worry about is the human interaction required at
> rollover time; specifically issuing the "ds-seen" command on KSK roll.
> This is a time when the 2 systems could/will get out of sync, it is also
> the time when this could be most problematic.
Since KSK roll is rare and needs manual work anyway, I think we can
fully re-sync instances (copy kasp.db etc.) then and continue.
Currently we have two replicated registry back-end systems,
to which we plan directly attach signing servers with HSM cards
(utimaco) (with hundreds of keys pregenerated and cloned).
Second signing server should be ready to sign in case of registry system
switch over, however we don't need to reuse signatures (full zone resign
I would prefer to avoid replicating opendnssec servers to keep it more
simple and have identical zone-in-zone-out sign boxes, so that I can
just replace one with other in case of hw failure etc.
Thanks all for information.
More information about the Opendnssec-user