[Opendnssec-user] Maximum key generation interval on 64-bit systems

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jul 16 15:02:57 UTC 2013



On 16.07.2013 16:26, Gavin Brown wrote:
> Hi Klaus,
>
>> On 16.07.2013 13:30, Gavin Brown wrote:
>>> Hi there,
>>>
>>> We are evaluating an HSM for use with OpenDNSSEC. The vendor has
>>> suggested that we consider manually generating all the keys we are
>>> likely to need up-front, so that we only ever need to do a single backup.

Btw: What HSMs do you use? We use nCipher and they are very easy to 
backup. The keys are stored encrypted on the hard disk. Thus, after 
creating new keys, we just have to backup the directory with the keys.

>>>
>>> We're using this command to generate the keys:
>>>
>>> ods-ksmutil key generate --policy default --interval [PERIOD]
>>>
>>> where [PERIOD] is:
>>>
>>>      number of zones * expected life of the system
>>
>> IIRC it is not necessary to specify 1000 years. If you have configured
>> 100 zones using all the default policy, then it should be fine to just
>> specify 10Y as interval - ODS automatically detects that this policy is
>> used for 100 zones and automatically generates 100 times the required keys.
>
> The system currently has no zones in it - it's completely fresh. We
> won't be adding zones until we know what they are, but the keys need to
> in place before the zones are added.

Then I think you have to calculate the number of needed keys yourself, 
generate them manually with ods-hsmutil and once you add a zone, import 
the keys with "ods-ksmutil key import ...." into the new zone.

A workaround would be to add 100 dummy zones to ODS, use "ods-ksmutil 
key generate ..." to generate the keys (+100 ZSKs and 100 +KSKs), and 
then remove the dummy zones. Then, when you add new zones and they use 
the same policy as the the dummy zones, the new zones will automatically 
use the previously generated keys.

regards
Klaus



More information about the Opendnssec-user mailing list