[Opendnssec-user] running ODS concurrently on one server

Joe Abley jabley at hopcount.ca
Mon Jul 8 15:53:44 UTC 2013


Hi Klaus,

On 2013-07-08, at 09:13, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:

> I want to sign a certain zone multiple times: 1x the original zone + 1x a modified "backup" zone (change SOA serial and maybe some other records)

CIRA's signing infrastructure with .CA provides some experience for a somewhat similar setup. CIRA uses OpenDNSSEC to manage the key policy, and the identities of the keys required to make signature are extracted from the live policy in order to do their parallel signing with BIND9 (they sign with multiple signers and compare the results before publication).

You could do similar -- extract the key identities from ODS, modify the unsigned zone automagically to your requirements and use the BIND9 tools to sign it with the appropriate keys.

In addition to whatever risks you are mitigating by having the standby signed zone ready for publication, this would also give you an independent implementation (so, e.g., if there ever turns out to be a problem in the ODS signer you have an independently-signed zone to give you some extra comfort).


Joe




More information about the Opendnssec-user mailing list