[Opendnssec-user] Maximum key generation interval on 64-bit systems

Klaus Darilion klaus.mailinglists at pernau.at
Wed Jul 17 08:03:37 UTC 2013



On 17.07.2013 00:15, Sebastian Castro wrote:
> On 17/07/13 02:26, Gavin Brown wrote:
>> Hi Klaus,
>
> Hi Gavin,
>
>>
>>> On 16.07.2013 13:30, Gavin Brown wrote:
>>>> Hi there,
>>>>
>>>> We are evaluating an HSM for use with OpenDNSSEC. The vendor has
>>>> suggested that we consider manually generating all the keys we are
>>>> likely to need up-front, so that we only ever need to do a single backup.
>>>>
>>>> We're using this command to generate the keys:
>>>>
>>>> ods-ksmutil key generate --policy default --interval [PERIOD]
>>>>
>>>> where [PERIOD] is:
>>>>
>>>>      number of zones * expected life of the system
>>>
>>> IIRC it is not necessary to specify 1000 years. If you have configured
>>> 100 zones using all the default policy, then it should be fine to just
>>> specify 10Y as interval - ODS automatically detects that this policy is
>>> used for 100 zones and automatically generates 100 times the required keys.
>>
>> The system currently has no zones in it - it's completely fresh. We
>> won't be adding zones until we know what they are, but the keys need to
>> in place before the zones are added.
>
> We had to see on this issue because by policy we generate and backup
> keys once a year, but zones to be signed could be added any time.
>
> We found two alternatives: generate keys of certain size using
> ods-hsmutil and later on allocate them to a policy/zone using
> ods-ksmutil key import, or create "placeholder" zones, create keys for
> them and when needed, add the zone to be signed and re-allocate the keys
> to that zone using a script that "hacks" the KASP db.
>
> The first option is cleaner, but requires to keep track of the CKA_ID of
> the keys created. The second option works better with the generation
> process, but allocating the keys requires some hacking (we have a script
> developed and we've used successfully).

In the end it seems that a feature request is necessary, e.g. an option 
to ignore the the zonelist but specify the number of zones on the 
command line, e.g.:

   ods-ksmutil key generate --policy default \
       --zonecount [number of zones to generate keys] \
       --interval [PERIOD]

regards
Klaus



More information about the Opendnssec-user mailing list