In deployment scenarios where you require dynamic updates, or want to use a HSM which requires multiple threads for decent signing performance, OpenDNSSEC version 1.x come short. There are plans for how to address this in version 2.x, but fortunately there are other options until then. When designing OpenDNSSEC I’ve always tried to keep the different modules clearly separated and the interface between them well defined. This is something that recently paid off, when I started out replacing the OpenDNSSEC signer engine with ISC BIND.

By using the OpenDNSSEC key manager, the KASP Enforcer, for managing signing keys and cryptographic parameters and then convert this information into a format that ISC BIND can read, one can replace the original signer engine with BIND. This works for both offline signing (i.e. when the zone is first signed, then loaded into a name server) and for online signing (i.e.when the zone is signed while BIND is running).

My tests with BIND 9.7.0rc2 looks very promising and it looks like this could be a viable alternative for those who are want to sign their dynamically updated zone, but doesn’t want to bother with manual key management.