[Opendnssec-user] Predictable HSM key use

Tomas Simonaitis simtom at domreg.lt
Sat Jan 21 07:47:07 UTC 2012


On 20/01/2012 10:50, Siôn Lloyd wrote:
> One other thing to worry about is the human interaction required at
> rollover time; specifically issuing the "ds-seen" command on KSK roll.
> This is a time when the 2 systems could/will get out of sync, it is also
> the time when this could be most problematic.

Since KSK roll is rare and needs manual work anyway, I think we can 
fully re-sync instances (copy kasp.db etc.) then and continue.

Currently we have two replicated registry back-end systems,
to which we plan directly attach signing servers with HSM cards 
(utimaco) (with hundreds of keys pregenerated and cloned).
Second signing server should be ready to sign in case of registry system 
switch over, however we don't need to reuse signatures (full zone resign 
is fine).
I would prefer to avoid replicating opendnssec servers to keep it more 
simple and have identical zone-in-zone-out sign boxes, so that I can 
just replace one with other in case of hw failure etc.

Thanks all for information.



More information about the Opendnssec-user mailing list