[Opendnssec-user] SoftHSM Setup Question
Rick van Rein (OpenFortress)
rick at openfortress.nl
Fri Jun 21 13:51:55 CEST 2013
> I want to use OpenDNSSEC for ~15 Zones. Each zone will use their own keys (no key sharing) and the same policy for the beginning, but it should be possible to change the policy for a certain zone later. Thus I think it would be smart to start with 15 policies, although they all look the same.
It is wise to forego key sharing if you can -- and with the SoftHSM, that is certainly the case.
You'd still have the problem of importing a new policy into a zone that was acclimatised to the old policy, had timers setup and so on. I'd bet it's hardly safer than migrating a zone from one policy to another.
We've actually edited policies at some point (for all zones tied to it) and re-imported it without difficulty; first on our stage platform, later live. We may have been lucky.
Developers? Is there a well-defined hackerish approach or set of constraints to stick to in order to do this safely? It would be a rather valuable document, if not for anything else then at least to take the stress out of planning-ahead as it is done here.
> I wonder what is the best setup for the SoftHSM. Shall I use a single slot/token for all keys, or should I have a dedicated slot per policy/zone?
The slots are just "plug points" for tokens, a bit like ISA slots. (Oops, I'm carbon-dating myself here… I meant to say ultra-micro-PCI-express of course)
I think you should only consider multiple tokens if you plan on taking out part of your zones to another hosting location.
Hope this helps,
More information about the Opendnssec-user