[Opendnssec-user]How to Manage Thousands of Zones's Keys

Casper Gielen c.gielen at uvt.nl
Tue Oct 16 09:19:09 UTC 2012

Op 16-10-12 10:18, 刘硕 schreef:
> Hi,
> We are testing managing a thousand zones with OpenDNSSEC1.4.0b1 with
> Mysql, but SoftHSM can only connected with Sqlite,right?
> Is it suitable for all the zones to share the same ZSK/KSK? Would this
> cause some other some operation  problems? Or should I just turn the
> <ShareKeys>
> on? But I suppose a thousand zones use the same key pairs seems
> abnormal, right? What would you guys do?
> I don't know how many keys SoftHSM can hold, but is it wise for it to
> hold thousands of keys?
> What's your opinion on managing thousands of zones?

I don't think you need to worry. While I only have 300 zones to manage I
have never experienced the interface to the SoftHSM as a bottleneck.
You could define multiple SoftHSM-files but I'm not sure if that will
improve anything at all.
There is nothing inherently wrong with many zones sharing the same key,
it's more about ease of management. Both systems (shared and unshared)
have their advantages.
My suggestion would be to just try it.
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list