Ahoj Mariane,
currently there is no plan for implementation of multi-signer dnssec solution. As you
surely know, it's not easy to implement it.
And still we don't have a clear idea how to deal with this requirement.
What is your intention for having more signers? Online signing, hot-spare signer, or
higher signing performance?
Best,
Daniel
On 5/31/21 5:04 PM, Kadziolka, Marian wrote:
Hi,
are there any plans to implement some multi-singner/multi-master dnsssec
capabilities/solution? As far as i understand, there is no possibility to run two or more
Knot servers with automatic key management [1] where all the servers use the same dnssec
keys.
Manual key management [2] can be used, but all the dnssec key automation of Knot will be
lost. KASP DB sharing [3] or active and backup signer [4] is not a real multi-master
solution. Some ideas:
* Multi-Signer DNSSEC Models
*
https://datatracker.ietf.org/doc/html/rfc8901
* DNSSEC automation
*
https://www.ietf.org/staging/draft-wisser-dnssec-automation-00.html
Or do you have any ideas/recommendations how to create multi-master dnssec setup and keep
automatic key management [1]?
Thanks
Marian
[1]
https://www.knot-dns.cz/docs/3.0/html/configuration.html#dnssec-automatic-z…
[2]
https://www.knot-dns.cz/docs/3.0/html/configuration.html#dnssec-manual-key-…
[3]
https://lists.nic.cz/pipermail/knot-dns-users/2019-November/001716.html
[4]
https://lists.nic.cz/pipermail/knot-dns-users/2020-December/001943.html
Je dobré vědět, že tento e-mail a přílohy jsou důvěrné. Pokud spolu jednáme o uzavření
obchodu, vyhrazujeme si právo naše jednání kdykoli ukončit. Pro fanoušky právní mluvy -
vylučujeme tím ustanovení občanského zákoníku o předsmluvní odpovědnosti. Pravidla o tom,
kdo u nás a jak vystupuje za společnost a kdo může co a jak podepsat naleznete
zde<https://onas.seznam.cz/cz/podpisovy-rad-cz.html>
You should know that this e-mail and its attachments are confidential. If we are
negotiating on the conclusion of a transaction, we reserve the right to terminate the
negotiations at any time. For fans of legalese—we hereby exclude the provisions of the
Civil Code on pre-contractual liability. The rules about who and how may act for the
company and what are the signing procedures can be found
here<https://onas.seznam.cz/cz/podpisovy-rad-cz.html>.