[Opendnssec-user] OpenDNSSEC with SafeNet Luna HSM

Yuri Schaeffer yuri at nlnetlabs.nl
Tue May 17 07:51:16 UTC 2016

Hi Roman,

> - in my case, a newly created domain consumed 2768 bytes (I store both
> public and private keys for KSK and ZSK). With the current partition
> size I should be able to handle up to 150 domains, but I guess I'll
> also have to consider an overhead during roll-over which will
> temporarily double the consumed space? Will OpenDNSSEC purge old
> ZSK/KSKs after the roll-over is finished or I'll have to delete them
> manually?

OpenDNSSEC will do that. In the KASP you can define a purge delay in the
<Key> section. I believe of you set it to 0 it will never purge.

From the example kasp.xml, purge 14 days after rollover finished:



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160517/c0d71bb5/attachment.bin>

More information about the Opendnssec-user mailing list