[Opendnssec-user] enforcer hooks

Jerry Lundström jerry at opendnssec.org
Mon May 19 11:21:29 UTC 2014

On mån, 2014-05-19 at 13:09 +0200, Petr Spacek wrote:
> Private key will be distributed by underlying PKCS#11 implementation but we 
> need to receive key ID and all the metadata necessary for DNS 
> signing/orchestration.
> > There are a few different keys and states, there are HSM keys (raw key
> > material) and keys in KASP and they both carry a lot of states.
> Imagine that we want to use ODS to generate keys. All the key metadata need to 
> be stored in distributed database (along with key ID) so all the K* files can 
> be reconstructed on all DNS servers.
> Basically we need to get timestamps and DNSSEC key flags as they are stored in 
> K*.private keys for BIND.

Have you looked at the signconf files generated by the Enforcer? The
contain all the information the Signer needs to sign the zone. The
Signer does not use the KASP database.

You could monitor that directory and trigger on file changes/add and
retrieve the new information and propagate it.

Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140519/bb329a51/attachment.bin>

More information about the Opendnssec-user mailing list