[Opendnssec-user] Maximum key generation interval on 64-bit systems
Gavin Brown
gavin.brown at centralnic.com
Tue Jul 16 14:26:56 UTC 2013
Hi Klaus,
> On 16.07.2013 13:30, Gavin Brown wrote:
>> Hi there,
>>
>> We are evaluating an HSM for use with OpenDNSSEC. The vendor has
>> suggested that we consider manually generating all the keys we are
>> likely to need up-front, so that we only ever need to do a single backup.
>>
>> We're using this command to generate the keys:
>>
>> ods-ksmutil key generate --policy default --interval [PERIOD]
>>
>> where [PERIOD] is:
>>
>> number of zones * expected life of the system
>
> IIRC it is not necessary to specify 1000 years. If you have configured
> 100 zones using all the default policy, then it should be fine to just
> specify 10Y as interval - ODS automatically detects that this policy is
> used for 100 zones and automatically generates 100 times the required keys.
The system currently has no zones in it - it's completely fresh. We
won't be adding zones until we know what they are, but the keys need to
in place before the zones are added.
G.
--
Gavin Brown
Chief Technology Officer
CentralNic Ltd
Innovative, Reliable and Flexible Registry Services
for ccTLD, gTLD and private domain name registries
https://www.centralnic.com/
CentralNic Ltd is a company registered in England and Wales with company
number 4985780. Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
More information about the Opendnssec-user
mailing list