[Opendnssec-user] Maximum key generation interval on 64-bit systems

Antoin Verschuren antoin.verschuren at sidn.nl
Wed Jul 17 08:05:22 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Op 16-07-13 17:49, Gavin Brown schreef:
> 
> The devices we're evaluating are Safenet. Backups cannot be
> automated as they require a physical hardware token. This is the
> reason why we want to pre-generate all the keys, to avoid having to
> perform regular backups manually. Instead we generate all the keys
> we'll need, backup once, and forget about it.

Using the Safenet HSM's ourselves, knowing their complexity and
hardware tokens, I wonder how you accommodate emergency key rollovers,
hardware failure, and training for that.
We have also generated all KSK's for the HSM lifetime, and have
performed surprise rollovers to avoid people using our KSK as trust
anchor (for which we have no procedure, we just tell everyone to use
the root as trust anchor)
But we do train our staff every half year in a test environment so
nobody forgets the procedures and token pins for when we really need them.
Since our ZSK's are not pre-generated for the lifetime of the HSM,
during this training we also create new backups for our production
HSM's, and restore HSM's in a test environment with existing backup's
so we train our staff having to restore a HSM. We have had one
occasion where we really needed this, as one of the 2 HSM's we use in
production had a hardware failure, and we had to restore one of the 2
HSM's in our test environment to quickly replace that. So set and
forget is not something you can rely on.

- -- 
Antoin Verschuren

Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  M: +31 6 23368970
Mailto: antoin.verschuren at sidn.nl
XMPP: antoin.verschuren at jabber.sidn.nl
HTTP://www.sidn.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJR5lA9AAoJEDqHrM883AgnllYH/itNada43MyLwE9VZf7mqsOu
ymFidFyxvIVbFXe8gnM01txlfFjIh8t6mgCaz3fsHlWhQGgXhWal57ane02xGyW/
m7AN8/eDvOe4+hDeOTBOeYKkeVGZ0NGOYGZnxJLdWjXyZqfIQ+V/6CYXcrrKFuU1
UdDkjosCdfI1zDSTiILCYp/twMGI67MTGpAQFsn2wNlOYpi/xK5MBF+sRNxUqLwJ
aiKaePPUXrYmdiSwUJh7wWy92CcECBBtheSUhLwV4O/GuXQ2UUirxMbcxRwT30DB
YLyTAJec/FVR0Km4AzEikMcvnDi3H9Wu8cCaOcMYQdAJskBR5BO1pNzJBk3BK2I=
=ZLTl
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list