Re: [Opendnssec-user] Maximum key generation interval on 64-bit systems

Wed, 17 Jul 2013 01:04:06 -0700 


On 17.07.2013 00:15, Sebastian Castro wrote:

On 17/07/13 02:26, Gavin Brown wrote:

Hi Klaus,


Hi Gavin,




On 16.07.2013 13:30, Gavin Brown wrote:

Hi there,

We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
likely to need up-front, so that we only ever need to do a single backup.

We're using this command to generate the keys:

ods-ksmutil key generate --policy default --interval [PERIOD]

where [PERIOD] is:

     number of zones * expected life of the system


IIRC it is not necessary to specify 1000 years. If you have configured
100 zones using all the default policy, then it should be fine to just
specify 10Y as interval - ODS automatically detects that this policy is
used for 100 zones and automatically generates 100 times the required keys.


The system currently has no zones in it - it's completely fresh. We
won't be adding zones until we know what they are, but the keys need to
in place before the zones are added.


We had to see on this issue because by policy we generate and backup
keys once a year, but zones to be signed could be added any time.

We found two alternatives: generate keys of certain size using
ods-hsmutil and later on allocate them to a policy/zone using
ods-ksmutil key import, or create "placeholder" zones, create keys for
them and when needed, add the zone to be signed and re-allocate the keys
to that zone using a script that "hacks" the KASP db.

The first option is cleaner, but requires to keep track of the CKA_ID of
the keys created. The second option works better with the generation
process, but allocating the keys requires some hacking (we have a script
developed and we've used successfully).



In the end it seems that a feature request is necessary, e.g. an option 
to ignore the the zonelist but specify the number of zones on the 
command line, e.g.:


  ods-ksmutil key generate --policy default \
      --zonecount [number of zones to generate keys] \
      --interval [PERIOD]

regards
Klaus
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user






















					Reply via email to