Hi, we are thinking the same way as Michael. Is there some plan to support this "pregenerated ZSK's and DNSKEY signatures" in future versions of OpenDNSSEC? I would vote for it and it's not mentioned in http://www.opendnssec.org/about/release-plan/ .
Or maybe 1.3. item - "Support for signing a root zone" is hiding this feature and it's right on the way? :) Regards, Jaromir On Fri, 2010-06-11 at 12:18 +0200, Michael Braunoeder wrote: > Hi Antoin, > > Am 11.06.2010 11:02, schrieb Antoin Verschuren: > [...] > > > > Isn't it true that for a ZSK rollover, OpenDNSSEC needs access to the KSK, > > at least for signing ? > > Or if you pregenerate ZSK's to be used by OpenDNSSEC, you need to generate > > signatures by the KSK's as well right ? > > Where are they stored, and how do you pregenerate these ZSK's and > > signatures for the lifetime of the KSK ? > > How do you configure that in OpenDNSSEC so it knows where to get the ZSK's > > and signatures ? > > > > We are currently thinking about such an implementation setup with > pregenerated ZSKs and signatures and unfortunately I think such a setup > is not possible with the current OpenDNSSEC. > > Best, > Michael > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Jaromir Talir technicky reditel / Chief Technical Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ sip:[email protected] tel:+420.222745107 mob:+420.739632712 fax:+420.222745112 -------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
