On mån, 2014-05-19 at 13:09 +0200, Petr Spacek wrote: > Private key will be distributed by underlying PKCS#11 implementation but we > need to receive key ID and all the metadata necessary for DNS > signing/orchestration. > > > There are a few different keys and states, there are HSM keys (raw key > > material) and keys in KASP and they both carry a lot of states. > Imagine that we want to use ODS to generate keys. All the key metadata need > to > be stored in distributed database (along with key ID) so all the K* files can > be reconstructed on all DNS servers. > > Basically we need to get timestamps and DNSSEC key flags as they are stored > in > K*.private keys for BIND.
Have you looked at the signconf files generated by the Enforcer? The contain all the information the Signer needs to sign the zone. The Signer does not use the KASP database. You could monitor that directory and trigger on file changes/add and retrieve the new information and propagate it. -- Jerry Lundström - OpenDNSSEC Developer http://www.opendnssec.org/
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
