[Opendnssec-user] Maximum key generation interval on 64-bit systems

[Sebastian Castro]

On 17/07/13 02:26, Gavin Brown wrote:
> Hi Klaus,

Hi Gavin,

> 
>> On 16.07.2013 13:30, Gavin Brown wrote:
>>> Hi there,
>>>
>>> We are evaluating an HSM for use with OpenDNSSEC. The vendor has
>>> suggested that we consider manually generating all the keys we are
>>> likely to need up-front, so that we only ever need to do a single backup.
>>>
>>> We're using this command to generate the keys:
>>>
>>> ods-ksmutil key generate --policy default --interval [PERIOD]
>>>
>>> where [PERIOD] is:
>>>
>>>     number of zones * expected life of the system
>>
>> IIRC it is not necessary to specify 1000 years. If you have configured
>> 100 zones using all the default policy, then it should be fine to just
>> specify 10Y as interval - ODS automatically detects that this policy is
>> used for 100 zones and automatically generates 100 times the required keys.
> 
> The system currently has no zones in it - it's completely fresh. We
> won't be adding zones until we know what they are, but the keys need to
> in place before the zones are added.

We had to see on this issue because by policy we generate and backup
keys once a year, but zones to be signed could be added any time.

We found two alternatives: generate keys of certain size using
ods-hsmutil and later on allocate them to a policy/zone using
ods-ksmutil key import, or create "placeholder" zones, create keys for
them and when needed, add the zone to be signed and re-allocate the keys
to that zone using a script that "hacks" the KASP db.

The first option is cleaner, but requires to keep track of the CKA_ID of
the keys created. The second option works better with the generation
process, but allocating the keys requires some hacking (we have a script
developed and we've used successfully).

I hope this info helps,


Cheers,

> 
> G.
> 


-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535