[Opendnssec-user] To MySQL or not?
mefystofel at gmail.com
Wed Mar 1 20:36:04 UTC 2017
On Tue, Feb 28, 2017 at 9:42 PM, Jakob Schlyter <jakob at kirei.se> wrote:
> On 2017-02-28 at 19:47, Roman Serbski wrote:
>> We're planning to migrate to 2.1.0, and to introduce hardware HSM with
>> ZSKs still stored under SoftHSM and KSKs to be handled by the hardware
>> HSM (SafeNet).
> (out of scope for your question, but anyway)
> Why not store both KSK and ZSK in the HSM? They are of almost equal value
> and a compromised ZSK can be used to sign anything, including other ZSKs.
I agree, but we're limited with the space on the HSM partition which
is 500KB. Both ZSK and KSK stored on the HSM will consume ~2768 bytes
(+ extra 2768 bytes during the roll-over) which leaves us ~90 domains
The proper solution would probably be to extend the partition, but
last time I asked for a quote it was some unrealistic figure. :)
More information about the Opendnssec-user