[Opendnssec-user] How to have multiple ODS signers using the same keys in the same order

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Aug 17 09:55:55 UTC 2017

Hi Jake,

Thanks for the write up! I do have a few additional pointers.

nit: Subject line should be about enforcers I suppose.
>                 I believed the initial run of 'ods-enforcerd' was what
> decided which key(s) would be picked first.

For OpenDNSSEC 2 this will be the case. The database doesn't get
populated with keys by an external program (ksmutil) anymore. Though it
can still pre generate keys.

>                 I wish ods-enforcerd, on initial run, would first check
> the HSM for available keys instead of checking 'keypairs', finding it
> empty, and then generating a new key.

I'm not sure it would be a good idea to let OpenDNSSEC use key material
it happens to find and doesn't know about. Could be from old keys.
Perhaps once used with a different algorithm. Best to let them untouched.

It is a feature we could think about though. Yet, the HSM also doesn't
come with guarantees regarding the order of keys as far as I know.

> èThis behaviour would be especially bad in situations where someone is
> using multiple AEP Keypers in remote locations, as it would take a trip
> and smart cards to get the newly generated key on to the secondary HSM.
>             (Unless using AEP load balancer, I guess)

OpenDNSSEC supports importing of keys from the HSM. But that might not
be applicable here. Not sure it can import as 'unused'.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170817/85cddc2a/attachment.bin>

More information about the Opendnssec-user mailing list