8 Lis
2018
8 Lis
'18
9:43
On 2018-11-08 01:04, Full Name wrote:
By default, Knot will use the local file system as its
key storage. I
believe that, when using the SoftHSM backend, the same is true. For
most practical purposes, the implication is that the key storage has
an unlimited capacity for keys. Now when using an actual HSM, that is
not true - most HSMs will, in general, have a relatively modest keys
storage capacity, especially when compared to that of a local
filesystem.
Yes, that is correct.
Does Knot have with capabilities to deal with
such situations? If
I need to have 150 keys in my key storage, but my key storage can't
hold more than 100, how does Knot deal with this? Conceptually, one
only has to wrap the keys in the HSM appropriately and dump then to
disk - where they will remain inaccessible to anybody but the HSM.
After this, one can generate (or unwrap) more keys, and use them as
necessary. Is this something that Knot can already do?
The only solution with Knot DNS is using shared keys
https://www.knot-dns.cz/docs/2.7/singlehtml/index.html#ksk-shared.
Also Single-Type Signing Scheme could help to reduce the number of keys
https://www.knot-dns.cz/docs/2.7/singlehtml/index.html#single-type-signing.
Daniel