[Opendnssec-user] ods-hsmutil

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Jul 27 08:02:08 UTC 2012

Hi Paul,

> If a large TLD gets a new registration, it needs to go out in minutes.
> So a signer always needs to be ready to sign right now. Therefor, TLDs
> or other large/dynamic zones will always need to have the option to
> switch from one hardware setup to another (identical) one.
> There is no time to go jump in a car and drive to a data centre.
> I'm not sure what this will yield. What I'm looking for is that if I
> pre-generate 3 years of keys into different HSMs, and then backup
> the kasp.db, that I can bootstrap multiple signers that would perform
> rollovers within the same hour indepentantly - solely based on having
> identical keys on the HSM and an identical kasp.db.

So in your situation the signer needs to be running at all times. The
enforcer may still crash&burn without any direct consequence. Indeed
duplicating the signer would make sense. The signer will use the HSM
copy and a signconf.xml. The latter is generated by the enforcer. If
that file is no longer updated the signer keeps signing properly, only
key rollovers and resalts will not happen till the enforcer is back up.

kasp.db does not need to be distributed and you'd have time enough to
take public transport to the data center. The only consequence is that
all key rollovers (future _and_ current) will be on hold. (Which might
not even be a bad idea in a situation like this.)


More information about the Opendnssec-user mailing list