Hi Paul, > If a large TLD gets a new registration, it needs to go out in minutes. > So a signer always needs to be ready to sign right now. Therefor, TLDs > or other large/dynamic zones will always need to have the option to > switch from one hardware setup to another (identical) one. > There is no time to go jump in a car and drive to a data centre. > [..] > > I'm not sure what this will yield. What I'm looking for is that if I > pre-generate 3 years of keys into different HSMs, and then backup > the kasp.db, that I can bootstrap multiple signers that would perform > rollovers within the same hour indepentantly - solely based on having > identical keys on the HSM and an identical kasp.db.
So in your situation the signer needs to be running at all times. The enforcer may still crash&burn without any direct consequence. Indeed duplicating the signer would make sense. The signer will use the HSM copy and a signconf.xml. The latter is generated by the enforcer. If that file is no longer updated the signer keeps signing properly, only key rollovers and resalts will not happen till the enforcer is back up. kasp.db does not need to be distributed and you'd have time enough to take public transport to the data center. The only consequence is that all key rollovers (future _and_ current) will be on hold. (Which might not even be a bad idea in a situation like this.) Regards, Yuri _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
