On 07/26/2012 11:35 PM, Paul Wouters wrote: > > I'm not sure what this will yield. What I'm looking for is that if I > pre-generate 3 years of keys into different HSMs, and then backup > the kasp.db, that I can bootstrap multiple signers that would perform > rollovers within the same hour indepentantly - solely based on having > identical keys on the HSM and an identical kasp.db.
What we do is replicate the whole stuff to the backup machines on an ongoing bases - so that everything is ready when needed (although a manual intervention would be required). This said, while ODS does not preallocate keys to zones, it does link generated keys to a policy - so if you can have 1 policy per zone behaviour should be fairly predictable. As far as I remember, the keys for rollover are chosen 'from the top of the list'. Assuming that sqlite is predictable on ordering the results, this could be enough (but personally I'd still keep the kasp-db 'fresh' on the backups). Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
