feature survey -- bind9 dnssec -- autogenerate missing signatures
Francis Dupont
Francis.Dupont at fdupont.fr
Wed Sep 3 11:53:37 UTC 2008
In your previous mail you wrote:
I'm not sure this is a good idea because the people who are most
likely to use this feature will probably be unaware of the risks of
having the signing key on-line and won't have taken suitable
precautions.
=> note the signing key doesn't need to be on-line, only the signing
capability has to be available on-line (there are two common ways to
provide this: the signing key on-line and a protected key store,
something you can find in HSMs (Hardware Security Modules). In the
second case it is possible to make the private key not extractable
(and with FIPS 140-2 HSMs certified at high levels, really not possible),
i.e., you can only abuse of the signing function).
They're also likely to be the people that will be
startled by the SOA serial number magically changing as a result of on
the fly signing.
=> it is already the case for dynamic updates (which is strongly related
to on-line (re-)signing).
Regards
Francis.Dupont at fdupont.fr
More information about the bind-workers
mailing list