[Opendnssec-user] running ODS concurrently on one server
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Jul 9 14:49:15 UTC 2013
On 08.07.2013 17:53, Joe Abley wrote:
> Hi Klaus,
>
> On 2013-07-08, at 09:13, Klaus Darilion
> <klaus.mailinglists at pernau.at> wrote:
>
>> I want to sign a certain zone multiple times: 1x the original zone
>> + 1x a modified "backup" zone (change SOA serial and maybe some
>> other records)
>
> CIRA's signing infrastructure with .CA provides some experience for a
> somewhat similar setup. CIRA uses OpenDNSSEC to manage the key
> policy, and the identities of the keys required to make signature are
> extracted from the live policy in order to do their parallel signing
> with BIND9 (they sign with multiple signers and compare the results
> before publication).
So, they sign with ods-signer and additionally with the bind signing
tools? Or do they use only the bind signing tools?
> You could do similar -- extract the key identities from ODS, modify
> the unsigned zone automagically to your requirements and use the
> BIND9 tools to sign it with the appropriate keys.
>
> In addition to whatever risks you are mitigating by having the
> standby signed zone ready for publication, this would also give you
> an independent implementation (so, e.g., if there ever turns out to
> be a problem in the ODS signer you have an independently-signed zone
> to give you some extra comfort).
Indeed, but twice as much engineering work ;-)
btw: I just found pkcs11-proxy and some basic testing works fine. Does
anybody have practical experience with pkcs11-proxy?
regards
Klaus
More information about the Opendnssec-user
mailing list