-
Type:
New Feature
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: OpenDNSSEC 2.0
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:
While working on the implementation of our DNSSEC deployment we came to the conclusion that it would be helpful to have a general pool of pre-generated keys available (of certain common specifiable sizes, e.g. 10x 1024 bit key and 10x 2048-bit key).
The use case for this is simple: we use HSMs to store key material and we expect to add new signing policies on a regular basis. We will be using shared keys (e.g. each university etc. has one set of keys for all its zones). At regular intervals, we will need to create a new policy when a new customer enables DNSSEC for its first zone. This is all done by an automated system. The problem we face is that we cannot start producing signed zones for this customer/new policy until we have backed up the newly generated keys that belong to the policy. And our backup procedure is such that it cannot be done automatically (the HSM requires manual intervention for security reasons) which means that it may take some time (days) before this new zone can be taken into production.
This issue could easily be resolved by having a pool of pre-generated keys available for general use (i.e. not yet assigned to a policy) that the enforcer can choose from when it needs new keys for a new policy.
Summarising: is it possible to add this feature to the enforcer? I think there is a use case here for registrars.