[Opendnssec-user] running ODS concurrently on one server
Paul Wouters
paul at nohats.ca
Wed Jul 10 20:23:03 UTC 2013
On Tue, 9 Jul 2013, Klaus Darilion wrote:
>> CIRA's signing infrastructure with .CA provides some experience for a
>> somewhat similar setup. CIRA uses OpenDNSSEC to manage the key
>> policy, and the identities of the keys required to make signature are
>> extracted from the live policy in order to do their parallel signing
>> with BIND9 (they sign with multiple signers and compare the results
>> before publication).
>
> So, they sign with ods-signer and additionally with the bind signing tools?
> Or do they use only the bind signing tools?
the unsigned zone is copied to both an opendnssec and a bind system.
Both systems sign using their own implementation. Only the keys are
synchonized between the two, that is ods-enforcerd determines when a
(ZSK) needs to roll.
Both are then fed through validators, including one that strips all
ephemeral data (timestamps etc) and checks if the zones are identical.
Paul
More information about the Opendnssec-user
mailing list