Antoin, > To: Open DNSSEC List > Subject: [Opendnssec-user] OpenDNSSEC, HSM and key ceremony > > Hi guys, > > We're having quite some discussions on operational implementation of > OpenDNSSEC, and what the role of the key ceremony is when OpenDNSSEC is > used, and how it should be configured. > What we're trying to accomplish is that KSK rollovers should always be > done manually in a key ceremony, having an MofN authentication. > We don't want to have the same security constrains for ZSK rollovers. > ZSK rollovers should be done automatically by OpenDNSSEC. > > I wonder how ICANN or .se is doing this with OpenDNSSEC. > > We're using a LUNA SA HSM. > > Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the > KSK, at least for signing ? > Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to > generate signatures by the KSK's as well right ? > Where are they stored, and how do you pregenerate these ZSK's and > signatures for the lifetime of the KSK ? > How do you configure that in OpenDNSSEC so it knows where to get the > ZSK's and signatures ? > > Or: > > Do we assume that an HSM has the capability to sign with the KSK during > a ZSK rollover ? > In our HSM, if we grant OpenDNSSEC the right to sign with the KSK > during the ZSK rollover, OpenDNSSEC also has the right to generate or > delete new KSK's (without the M0fN key ceremony).
You could pre-generate some/all your ZSK's and/or KSK's and also add the ManualKeyGeneration config statement to conf.xml then opendnssec wouldn't generate keys at all. Brett _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
