Speaker
Tamas Csillag
(PCH.net)
Description
In my talk I plan to summarize the properties of
PCH's DNSSEC bump in the wire signer from 2010.
(which was based on bind9 and custom code in c/bash/perl)
What were our goals and motivations for the upgrade.
Why we ended up choosing knot as a replacement signer.
Our process include a keysigning ceremony where ZSKs are generated and RRSIGs for those keys years in advance.
I will talk about how we use the keysigning output with knot's offline-ksk functionality and how we utilize HSMs.
Another part to be presented is nsd and how we use its relatively recent functionality the verifier hook to check the correctness of the DNSSEC signed zones.
| Talk duration |
|---|
Primary author
Tamas Csillag
(PCH.net)
