[Opendnssec-user] ods-hsmutil

Gilles Massen gilles.massen at restena.lu
Fri Jul 27 07:04:59 UTC 2012

On 07/26/2012 11:35 PM, Paul Wouters wrote:
> I'm not sure what this will yield. What I'm looking for is that if I
> pre-generate 3 years of keys into different HSMs, and then backup
> the kasp.db, that I can bootstrap multiple signers that would perform
> rollovers within the same hour indepentantly - solely based on having
> identical keys on the HSM and an identical kasp.db.

What we do is replicate the whole stuff to the backup machines on an
ongoing bases - so that everything is ready when needed (although a
manual intervention would be required).

This said, while ODS does not preallocate keys to zones, it does link
generated keys to a policy - so if you can have 1 policy per zone
behaviour should be fairly predictable. As far as I remember, the keys
for rollover are chosen 'from the top of the list'. Assuming that sqlite
is predictable on ordering the results, this could be enough (but
personally I'd still keep the kasp-db 'fresh' on the backups).


Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473

More information about the Opendnssec-user mailing list