Hi Jakob,
Prior to thanks for your reply , it's very helpfull. Did you mean as below :
1. I should add a new tag "<Repository>" under the "<RepositoryList>" in conf.xml
Before change :
<Configuration>
<RepositoryList>
<Repository name="repo1">
.....
</Repository>
</RepositoryList>
.....
<Configuration>
After change :
<Configuration>
<RepositoryList>
<Repository name="repo1">
.....
</Repository>
<Repository name="repo2">
.....
</Repository>
</RepositoryList>
.....
<Configuration>
2. Update the kasp.xml file which part "<Policy>" want to use the new HSM.
Before change :
<KASP>
<Policy name="default">
<Keys>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>repo1</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>repo1</Repository>
</ZSK>
</Keys>
</Policy>
</KASP>
After change :
<KASP>
<Policy name="default">
<Keys>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>repo2</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>repo2</Repository>
</ZSK>
</Keys>
</Policy>
</KASP>
3. Restart the ods and reload all the conf files like " $ ./ods-ksmutil update all "
If I miss something please let me know , thank you very much.
Best Regards,
Dean.
At 2015-11-17 16:58:59, "Jakob Schlyter" <jakob at kirei.se> wrote:
>
>> On 17 nov. 2015, at 05:13, yaohongyuan <yaohongyuan at 163.com> wrote:
>>
>> Do you think it is possible for opendnssec to connect to two HSMs and sign into one zone file?
>
>Yes, you can configure multiple repositories. If you update the KASP so that new keys to use the new HSM, it will automatically be used when rolling over.
>
> jakob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20151117/f4130947/attachment.htm>