Hello, > I want to use OpenDNSSEC for ~15 Zones. Each zone will use their own keys (no > key sharing) and the same policy for the beginning, but it should be possible > to change the policy for a certain zone later. Thus I think it would be smart > to start with 15 policies, although they all look the same.
It is wise to forego key sharing if you can -- and with the SoftHSM, that is certainly the case. You'd still have the problem of importing a new policy into a zone that was acclimatised to the old policy, had timers setup and so on. I'd bet it's hardly safer than migrating a zone from one policy to another. We've actually edited policies at some point (for all zones tied to it) and re-imported it without difficulty; first on our stage platform, later live. We may have been lucky. Developers? Is there a well-defined hackerish approach or set of constraints to stick to in order to do this safely? It would be a rather valuable document, if not for anything else then at least to take the stress out of planning-ahead as it is done here. > I wonder what is the best setup for the SoftHSM. Shall I use a single > slot/token for all keys, or should I have a dedicated slot per policy/zone? The slots are just "plug points" for tokens, a bit like ISA slots. (Oops, I'm carbon-dating myself hereā¦ I meant to say ultra-micro-PCI-express of course) I think you should only consider multiple tokens if you plan on taking out part of your zones to another hosting location. Hope this helps, -Rick_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
