[Opendnssec-user] To MySQL or not?
Jakob Schlyter
jakob at kirei.se
Tue Feb 28 20:42:06 UTC 2017
On 2017-02-28 at 19:47, Roman Serbski wrote:
> We're planning to migrate to 2.1.0, and to introduce hardware HSM with
> ZSKs still stored under SoftHSM and KSKs to be handled by the hardware
> HSM (SafeNet).
(out of scope for your question, but anyway)
Why not store both KSK and ZSK in the HSM? They are of almost equal
value and a compromised ZSK can be used to sign anything, including
other ZSKs.
jakob
More information about the Opendnssec-user
mailing list