[Opendnssec-user] To MySQL or not?

Roman Serbski mefystofel at gmail.com
Wed Mar 1 20:36:04 UTC 2017


On Tue, Feb 28, 2017 at 9:42 PM, Jakob Schlyter <jakob at kirei.se> wrote:
> On 2017-02-28 at 19:47, Roman Serbski wrote:
>
>> We're planning to migrate to 2.1.0, and to introduce hardware HSM with
>> ZSKs still stored under SoftHSM and KSKs to be handled by the hardware
>> HSM (SafeNet).
>
> (out of scope for your question, but anyway)
>
> Why not store both KSK and ZSK in the HSM? They are of almost equal value
> and a compromised ZSK can be used to sign anything, including other ZSKs.

I agree, but we're limited with the space on the HSM partition which
is 500KB. Both ZSK and KSK stored on the HSM will consume ~2768 bytes
(+ extra 2768 bytes during the roll-over) which leaves us ~90 domains
only.

The proper solution would probably be to extend the partition, but
last time I asked for a quote it was some unrealistic figure. :)



More information about the Opendnssec-user mailing list