Hi,
On 2011-12-01 16:54, Michael Braunoeder wrote:
Hi Rickard,
Am 01.12.2011 15:48, schrieb Rickard Bellgrim:
What I would do is to add the emergency DNSKEY as a normal RR in the
plain zone, because OpenDNSSEC doesn't need to maintain its state as a
key.
Then, in case of a rollover, it should be a matter of adding a new
keystore with SoftHSM.
You just add the DNSKEY of the emergency ZSK in the unsigned zone.
Perfect.
When switching over to the emergency HSM, I think you should also add
the DNSKEY record of the old HSM's ZSK to the unsigned zone file that is
then signed using the emergency HSM. That is because a resolver can
still have a signature made with the old ZSK in the cache but needs to
fetch the DNSKEY RRset from the authoritative servers.
Antti
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
