On Tue, Feb 28, 2017 at 9:42 PM, Jakob Schlyter <[email protected]> wrote: > On 2017-02-28 at 19:47, Roman Serbski wrote: > >> We're planning to migrate to 2.1.0, and to introduce hardware HSM with >> ZSKs still stored under SoftHSM and KSKs to be handled by the hardware >> HSM (SafeNet). > > (out of scope for your question, but anyway) > > Why not store both KSK and ZSK in the HSM? They are of almost equal value > and a compromised ZSK can be used to sign anything, including other ZSKs.
I agree, but we're limited with the space on the HSM partition which is 500KB. Both ZSK and KSK stored on the HSM will consume ~2768 bytes (+ extra 2768 bytes during the roll-over) which leaves us ~90 domains only. The proper solution would probably be to extend the partition, but last time I asked for a quote it was some unrealistic figure. :) _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
