On 19.5.2014 13:21, Jerry Lundström wrote:
On mån, 2014-05-19 at 13:09 +0200, Petr Spacek wrote:
Private key will be distributed by underlying PKCS#11 implementation but we
need to receive key ID and all the metadata necessary for DNS
signing/orchestration.
There are a few different keys and states, there are HSM keys (raw key
material) and keys in KASP and they both carry a lot of states.
Imagine that we want to use ODS to generate keys. All the key metadata need to
be stored in distributed database (along with key ID) so all the K* files can
be reconstructed on all DNS servers.
Basically we need to get timestamps and DNSSEC key flags as they are stored in
K*.private keys for BIND.
Have you looked at the signconf files generated by the Enforcer? The
I have ignored signer completely because we plan to use only Enforcer.
Now I have looked into /var/opendnssec/signconf/example.xml and it seems that
I will be able to generate K*.private key except timestamps:
Created: 20140429162528
Publish: 20140429162528
Activate: 20140429162528
...
I guess that I can read those from KASP database.
contain all the information the Signer needs to sign the zone. The
Signer does not use the KASP database.
You could monitor that directory and trigger on file changes/add and
retrieve the new information and propagate it.
That could work at least as monitoring mechanism, even if I have to read some
data from KASP database.
Does it make sense?
Thank you for your time!
--
Petr^2 Spacek
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
